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Chapter 1 



Introduction To Public Key 
Cryptography 

Cryptography has been an area of mathematical study for centuries. Historically, the 
study of cryptography focused on the design of systems that provide secret communica- 
tion over an insecure channel. Recently, individuals, corporations, and governments have 
started to demand privacy, authenticity, and reliability in all sorts of communication, 
from online shopping to discussions of national secrets. As a result, the goals of cryptog- 
raphy have become more all-encompassing; now, cryptography might better be defined as 
the design of systems that need to withstand any malicious attempts to abuse them. This 
thesis will focus on modern algorithms and techniques for confidentiality, which are also 
known as encryption schemes. However, the purposes of cryptography include not only 
secret or confidential communication, but also authentication of the entities involved in 
the communication, authentication of the data transmitted by those entities, and many 
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others. 

The oldest encryption schemes are known as symmetric key or secret key systems. 
Such systems consist of two main algorithms: an encryption algorithm, which allows one 
entity to encrypt or "scramble" data, and a decryption algorithm, which allows another 
entity to decrypt or "unscramble" data. Each of these algorithms has an input called a 
key, which dictates some aspect of the algorithm's behaviour. In order for two entities 
(historically known as Alice and Bob) to exchange data securely, they must first share a 
secret key between them. If Bob wishes to send Alice a message, he uses the secret key 
with the encryption algorithm to encrypt the message. He sends the encrypted message 
(called the ciphertext) to Alice, and she uses the secret key with the decryption algorithm 
to decrypt the ciphertext and recover the original message. Since an eavesdropper (Eve) 
does not know the secret key, she should not be able to determine what the original 
message was. 

A physical analogy of a symmetric key scheme is often given in terms of boxes and 
padlocks. Suppose Alice and Bob each have a copy of a key for a padlock. If Bob wishes 
to send Alice a message, he writes the message on a piece of paper and places it in a 
box. He then uses his copy of the key to lock the box with the padlock, and he sends 
the locked box to Alice. When she receives it, she uses her copy of the key to unlock 
the padlock, she opens the box, and she reads the message. If Eve finds the locked box, 
however, she cannot open the padlock because she does not have a copy of the key. 

Symmetric key encryption schemes are well-suited to many applications. They tend 
to be very efficient in time and space required for their implementation, and they tend 
to require only a small amount of key material for a high level of security. The main 
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drawback of such schemes has come to be known as the key distribution problem: if 
Ahce and Bob wish to communicate secretly but have never met, how do they share a 
secret key? They cannot send a secret key over an insecure channel because Eve might 
be listening and might learn the key; on the other hand, they do not yet share a secure 
channel over which to send a secret key. This problem was one of the largest problems 
in cryptography for many years. Some solutions might be for Alice and Bob to meet in 
person and agree on a key face-to-face (which is of course impractical if they live far away 
from one another) or for them to enlist the services of a third party to courier a secret 
key between them (which implies they both must trust the third party not to reveal the 
key to anyone). Further, for every pair of parties that wishes to communicate secretly, 
a unique symmetric key is required; thus the number of symmetric keys in the system 
grows rapidly. 

In the late 1970s, the mathematicians Diffie and Hellman introduced a new idea: 
pubhc key cryptography [DH76]. (In fact, a British intelligence researcher had discovered 
the same idea earlier [E1170], but his discovery was not made public until later.) Like 
the secret key systems described above, a public key scheme has two main algorithms 
for encryption and decryption, each of which has an input called a key. The difference 
is that the keys used in the two algorithms are not the same. More specifically, Alice 
generates two keys of her own: a public key, which she shares with everyone (even her 
enemies) and a private key, which she keeps to herself. If Bob wishes to send Ahce 
a message, he obtains a copy of Alice's public key, and uses her public key with the 
encryption algorithm to encrypt the message. He sends the ciphertext to Alice, and she 
uses her private key with the decryption algorithm to decrypt the ciphertext and recover 
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the original message. Since Eve does not know Alice's private key, she should not be 
able to determine what the original message was. In other words, anyone can encrypt 
a message for Alice, since anyone can obtain Alice's public key, but once a message is 
encrypted for her, only Alice can decrypt it with her private key. 

Again, we can illustrate the idea of a public key encryption scheme with a physical 
analogy in terms of boxes and padlocks. Suppose Alice has a number of empty boxes, a 
number of open padlocks (that can be locked without a key) , and a key that opens all of 
the padlocks. She freely gives out these boxes and open padlocks to anyone who would 
like them. If Bob wishes to send Alice a message, he writes the message on a piece of 
paper, gets a box and lock from Ahce, and places the message in the box. He then locks 
the box with the padlock, and he sends the locked box to Ahce. When she receives it, 
she uses her key to unlock the padlock, she opens the box, and she reads the message. 
If Eve finds the locked box, however, she cannot open the padlock because she does not 
have a copy of the key. (After he has locked his message in the box, even Bob cannot 
get the message back out!) 

The major advantage of these public key schemes is that they provide a solution 
to the key distribution problem. Public keys, by design, can be freely distributed to 
anyone without compromising the security of the system, so if Alice and Bob wish to 
communicate secretly but they have never met before, they need simply obtain one 
another's public keys. There are some disadvantages, in that public key schemes tend 
to be less efficient and the keys tend to be larger than in secret key systems, but these 
disadvantages are small compared to the advantages provided by such schemes. There are 
also ways to use public and secret key schemes together to minimise the disadvantages. 
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There are several public key cryptosystems that have been proposed, and many have 
been studied in great detail. The study of these cryptosystems includes studying ap- 
proaches to breaking them. Breaking a cryptosystem could have many meanings. For 
example, given only ciphertext, an attacker might try to determine partial or complete 
information about the corresponding original message. Given only an entity's public key, 
an attacker might try to determine partial or complete information about the correspond- 
ing private key. There are many variations on the same theme. 

Whereas the cryptosystems that are currently in use generally have not been bro- 
ken, attackers are constantly developing new attacks and improvements in technology 
are helping to speed up current attacks. Especially worrisome to the field of cryptogra- 
phy are developments in the area of quantum computing, which we will discuss in the 
next chapter. Even though a quantum computer of a sufficient size has not yet been im- 
plemented, the theory of quantum computing indicates that many of the cryptosystems 
currently in use could easily be broken if this implementation did occur. If a quantum 
computer is successfully built, we will therefore have to change the cryptosystems we use 
for encrypted communication so that attackers with quantum computers cannot decrypt 
it. Further, encrypted messages captured and stored in the past could also be decrypted 
by a future quantum attacker. Since there is a definite possibility that one day quantum 
computers will become technologically feasible, we need to prepare for that eventuality 
by analysing modern cryptosystems with respect to attacks with a quantum computer. 



Chapter 2 

Introduction To Quantum 
Computing 

This chapter provides an overview of some aspects of quantum computing. For a more 
complete treatment of the history of the subject and many more details on the ideas 
discussed in this chapter, see for example [NCOO]. 

2.1 Basic Concepts 

The computers that are in widespread use today are sometimes called classical computers. 
The behaviour of the elements in these computers can be described by the laws of classical 
physics, that is, those laws that were thought to be accurate around the turn of the 
twentieth century. However, early in the twentieth century scientists realised that those 
laws did not accurately describe the behaviour of all systems. For example, objects on an 
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atomic scale behaved differently in experiments than was predicted by classical physics. 

To more accm'atcly describe these systems, scientists developed a new theory of physics 
called quantum physics. This theory includes elements of non-determinism, and it more 
accurately models the behaviour of all systems. 

With this new model of physics, a new type of computer has emerged: the quantum 
computer. A quantum computer is a device that uses the laws of quantum physics to 
solve problems. There are many ways in which quantum computers could be imple- 
mented, some of which are summarised in [NCOO]. This thesis will not be concerned with 
specific implementations, but it is important to note that quantum computers have been 
implemented successfully, albeit on a small scale. However, regardless of the particular 
implementation, the behaviour of a quantum computer is governed by a specific set of 
mathematical rules, namely the laws of quantum physics. A quantum computer can 
therefore be described completely generally and mathematically. 

In a classical computer, information is stored and manipulated in the form of "bits" . 
Each bit is represented in the computer by an object that exists in one of two states, 
usually referred to as and 1. The computer can manipulate the states of the bits using 
various logical operations, and it may examine any bit and determine in which of the two 
states the bit currently exists. 

In a quantum computer, information is stored and manipulated in the form of quan- 
tum bits, or "qubits" . (Initially, qubits and classical bits seem to be completely different 
concepts, but as we will see, a bit in a classical computer is really a "restricted" qubit.) 
A qubit can exist in one of many different states. More specifically, we think of the state 
of a qubit as a unit vector in a two-dimensional complex vector space. As in any vector 
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space, we could choose any basis and represent the qubit with respect to that basis. 
However, for each quantum system we model, we will choose a convenient orthonormal 
basis which we will call the "computational basis"; the computational basis states are 
denoted |0) and |1). In other words, the state of a qubit could be represented as 

|0) = a|O)+/3|l) 

where a and are complex numbers. The condition that \4>) is a unit vector means that 
|q;|^ + |/3|^ = 1. Such a linear combination of basis states is often called a superposition. 

We cannot examine a qubit directly to determine its exact state (or in other words, 
the values a and According to the laws of quantum mechanics, when we measure 
the qubit, we obtain |0) with probability \af and |1) with probability \f3f. Further, 
when such a measurement is made, the state of the qubit "collapses" from its original 
superposition to either |0) or depending on the outcome of the measurement. Apart 
from the measurement operation, we will restrict our attention to operations that treat 
the quantum computer as a closed system; that is, we will assume that no information 
about the state of the system is "leaked" to the apparatus or to an external system. 

As we will see in Section 2.3, however, we can manipulate superposition states without 
extracting information from them. This fact allows us to perform operations that are im- 
possible to implement with a classical computer (even a probabilistic classical computer) . 
For example, as a state is manipulated, the amplitudes of each of the basis states can 
interfere with each other: two amplitudes of the same sign can combine constructively 
to increase the probability associated with a particular measurement outcome, or two 
amplitudes of opposite sign can combine destructively to decrease this probability. The 
existence of these quantum interference effects is one of the main differences between 
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quantum and classical computers. 

Despite these apparent differences, bits and qubits both model a physical system 
with two orthogonal states. The bits in a classical computer are essentially restricted 
qubits in that they do not exist in superposition states for long periods of time: they 
are continually leaking information about their states to external systems. The problems 
of maintaining coherent superposition states and preventing the computer from coupling 
with external systems are some of the main challenges that scientists must overcome 
when implementing a quantum computer. 

2.2 Hilbert Space 

As described above, we can model the state of a qubit as a vector in a two-dimensional 
complex vector space. In fact, the state of any quantum mechanical system can be 
modeled as a vector inside a special kind of vector space called a Hilbert space. For the 
purposes of this thesis we will restrict our attention to Hilbert spaces of finite dimension, 
but to describe general quantum systems we need to consider infinite-dimensional spaces. 
We briefly deflne a Hilbert space here; for a more complete description the reader may 
consult for example [Per95] : 

Definition 2.1. A vector space H is called a Hilbert space if it satisfies the following 
three properties: 

1. For any vectors v e EI and any scalars a, (3 E C, au + (3v E H. 

2. For any vectors u,v eM there exists a complex number {u , v) (known as the inner 
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product of u and v ) the value of which is linear in the first component. Further, 

{u , v) and {v , u) are complex conjugates of one another, and {u , u) > with 
equality if and only if u — 0. 

3. Let {um} be an infinite sequence of vectors in H and define the norm of u by 
||it|| = u). If \\um — Un\\ — > OS m, 71 ^ oo then there is a unique it e H 

such that \\um — u\\ ^ as m ^ oo. (In other words, any Cauchy sequence of 
vectors in the space has a limit which is also a vector in the space.) 

This last property is known as the completeness property, and it is satisfied by every 
finite dimensional complex vector space equipped with an inner product. Thus in finite 
dimensions, every complex inner product space is a Hilbert space [NCOO]. (This fact is 
not true in infinite dimensions.) 

Suppose we have two quantum systems, the states of which can be modeled by vectors 
10) G Mm and {ip) G HI„ (where and H[„ are Hilbert spaces of dimension m and n, 
respectively). To describe the joint state of these systems, we use the "tensor product" 
of 10) and IV'), denoted 10) (8) {t/j) or simply |0) {t/j). This new vector is an element of a 
larger Hilbert space denoted ® EI^ (which is in fact defined as the set of all linear 
combinations of tensor products |0) (8) IV') with |0) G Um and j^') G ]HI„). 

By definition, a tensor product over two vector spaces V and W must satisfy the 
following properties for all v, v' G V, w, w' G W, and a G C: 

1. a{v ® w) = {av) ^ w = V ^ {aw). 

2. {v + v') <^ w = V <^ w + v' <^ w . 
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3. V <S> {w + w') — v<S)W + v<S>w'. 



Also, if y4 is a linear operator on V and i? is a linear operator on W, then we can 
define the linear operator Ai^BonV<^Why 

{A B){v (S>w) ^ Av (S> Bw 

for all I) e y and w & W. 

With these definitions, we are ready to describe more of the basic concepts behind 
quantum computing. 

2.3 Single-Qubit Gates 

In a classical computer, we perform computation using circuits of gates connected by 
wires that carry the bits between the gates. An example of a simple gate in a classical 
computer is the NOT gate, which maps to 1 and 1 to 0. An analogous gate in a 
quantum computer would map |0) to |1) and |1) to |0). The laws of quantum mechanics 
state that if we are working in a closed system, we should define the gate's behaviour on 
a superposition by extending its behaviour on the basis states linearly. In other words, 
the quantum NOT gate maps 

a|0) +/3|1) I — ^/3|0) 

Because a quantum gate is a linear operator on the space of quantum states, we 
can express it as a matrix with respect to the computational basis. We write the state 
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a |0) + /3 |1) in vector form as 

/ \ 

a 

The NOT gate can then be represented by a matrix X such that for any a, /3 e C with 

|2 , i^i2 



\a\ 



1, 



X 



a 






w 







Thus we must have 



X 



^0 1^ 
^1 0^ 



Any quantum gate that acts on a single qubit can similarly be expressed as a 2 x 2 
matrix. However, the converse is not true: every 2x2 matrix does not define a valid 
quantum gate. The input and output of a quantum gate are both quantum states, which 
as mentioned previously are unit vectors in a two-dimensional complex vector space. 
Thus any quantum gate must be an operator that maps all unit vectors to unit vectors in 
this vector space; such an operator is called a unitary operator. An equivalent definition 
of a unitary operator says that U is unitary if and only if U^U = I, where represents 
the conjugate transpose of U, and I represents the identity operator. It is in fact true 
that any unitary operator does define a "valid" quantum gate, although not every unitary 
operation can be performed efficiently in every quantum system; so many of these gates 
cannot be implemented efficiently. 

The unitarity condition on quantum gates implies another important aspect of quan- 
tum computation: if we assume that our system is closed, quantum computation is 
"reversible" . Since the inverse of any unitary operator is also unitary, the inverse opera- 
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tion of a quantum gate is also a quantum gate, and hence given the output of a gate U 
we can recover the input by applying the valid gate 

We will mention two more important single-qubit gates at this time. First, the 
Hadamard gate is defined by the matrix 



H 



1 

71 



1 1 
1 -1 



and maps |0) to :^(|0) + |1)) and |1) to :^(|0) — Second, the phase gate is defined 
for any angle 9 by the matrix 



\0 e'^ j 



This gate leaves the state |0) unchanged and maps |1) to e*^ |1). It is easy to see that 
these matrices are unitary, since = = H and Rl" ""^ = RI = R-e- 



2.4 Multiple-Qubit Gates 

We can extend the definition of quantum gates to act on n qubits at once. The state of n 
qubits can be represented as a unit vector in a 2'^-dimensional complex vector space, and 
again, the only condition on an n-qubit gate is that it must be a unitary operator on this 
vector space. An example of such a gate is the controlled- NOT (or CNOT) gate, whose 
two inputs are usually called the control and target qubits. The gate can be described 
as follows: 

1. if the control qubit is |0), the target qubit is not modified, and 
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2. if the control qubit is |1), the NOT gate is apphed to the target qubit. 
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There is an interesting result that emphasises the importance of the CNOT gate in 
quantum computation: any multiple-qubit gate may be constructed using only CNOT 
gates and single-qubit gates [BBC+95]. 

In a similar fashion we can extend any single-qubit gate to a controlled two-qubit 
gate. For example, the controlled-Rg gate works as follows: 

1. if the control qubit is |0), the target qubit is not modified, and 

2. if the control qubit is |1), the gate is apphed to the target qubit. 

In other words, the gate leaves all of the computational basis states unchanged, except 
for |1) |1), which it maps to e'^ |1) 



Chapter 3 

Introduction To Quantum 
Algorithms 

An algorithm describes a way to solve a particular problem. For example, to solve 
the problem of dividing one number into another, we could use the algorithm of long 
division, which consists of many steps that are repeated until we obtain the quotient and 
remainder. In this section we will present several problems, and describe ways to solve 
them that involve preparing specific quantum states and applying to them some of the 
quantum gates defined in Chapter 2. By examining and measuring the output of certain 
sequences of quantum gates, we can solve a variety of problems. 

The quantum algorithms that we present in this chapter are the main tools that we 
will use in later chapters to analyse classical public key cryptosystems in a quantum 
setting. As we will see later, many of the cryptosystems we use today are less secure 
against attacks with a quantum computer since the problems on which these systems are 
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based can be solved in polynomial time with quantum algorithms from this chapter. 



3.1 Deutsch's Problem 

Consider the following problem, posed in [Deu85]: 

Problem 3.1 (Deutsch's Problem (DP)). Given a function f: {0,1} — > {0,1} de- 
termine /(O) © /(I) using only a single evaluation of the function f , where © is the 
componentwise XOR operation. 

In other words, we wish to determine with a single evaluation of / whether or not / 
is a constant function: if /(O) © /(I) = then /(O) = /(I) so / is constant, and if 
/(O) © /(I) = 1 then /(O) ^ /(I) so / is not constant. 

If we consider this problem classically, it is impossible to solve: we can determine 
/(O) or /(I), but without knowing both we cannot solve the problem. (In fact, we 
cannot determine any information whatsoever that would help us to guess the solution 
correctly with probability greater than |.) However, if we consider the problem in a 
quantum setting and we are given a way to reversibly compute /, we can solve it. The 
solution originally proposed by Deutsch in [Deu85] was modified and improved slightly 
in [CEMM98] and it is this modified solution that we present here. 

To perform a "quantum version" of /, we will use an additional qubit (since for a 
constant function /, the mapping \x) i — > \ f{x)) is not reversible). A typical choice for a 
reversible implementation of / is the two-qubit unitary operator U/ which performs the 
transformation 

\y) ' — ' k) \y® f{.x)) 
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for x,ye {0,1}. 

Suppose that we initialise the second qubit to the state (|0) — |1)). When we apply 
U/ to the qubits, by the linearity of quantum operators as discussed above, 

U/(k) ^(|o> - |i))) = \x) ^(|oe /(x)) - lie f{x))) 

= k)(-iy^^^^(|o)-|i)) 
= ((-1)'^^^ k»73(|o)-|i»- 

Therefore, if we also initiahse the first qubit to the state (|0) + |1)) before applying 
U/ we obtain 

U/(^(|o) + |i))^(|o)-|i))) 

- U-^y'"' |0) 73(10) - |1)) + ^(-l)/« |1) ^(|0) - |1)) 
^^((_l)/(o)|o) + (_!)/(!) |i))_i=(|o)-|l)). 

Now we apply the Hadamard gate to the first qubit above: 
H(^((-lPM0) + (-lK(^Ml))) 

= |(-i/^°Hlo) + |i)) + i(-ip)(|o)-|i)) 
= (-iK(°M/(o)©/(i)). 

Apart from the global "phase" of (— that precedes it, the qubit's state is the correct 
solution to the problem. Luckily, the laws of quantum physics tell us that the global phase 
will not affect the outcome of any measurement we perform on the state, and so we can 
simply measure this qubit and recover the solution /(O) © /(I). 
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We can summarise the quantum algorithm for Deutsch's Problem as follows: 



Algorithm 3.2 (Solution To DP). 

1. Begin with two qubits initialised to the states (|0) + |1)) and (|0) — |1)). 

2. Apply the two-qubit quantum gate U/ to the system. 

3. Apply the Hadamard gate H to the first qubit. 

4. Measure the first qubit and obtain the integer y. 

5. Return y. 



3.2 The Hidden Subgroup Problem 

Deutsch's problem is actually a special case of a more general problem: 

Problem 3.3 (The Hidden Subgroup Problem (HSP)). Let f be a function from 

a finitely generated group G to a finite set X such that f is constant on the cosets of a 
subgroup K of G and distinct on each coset. Given a quantum network for evaluating f 
(namely U/ : \y) — > \x) \y ® f{x))) find a generating set for K. 

In Deutsch's problem we had G = 1^2 = {0, 1}. Using the language of HSP, 

1. if / is a constant function, we have K — {0, 1} since / is constant on K (and there 
is only one coset of namely K itself); and 
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2. if / is not constant, then we have K — {0}, since / is constant on K and on 
K + 1 = {1}, and distinct on these two cosets. 



Thus to solve Deutsch's problem we wish to determine whether K = {0, 1} or i^T = {0}. 

There are many other problems that can be thought of as special cases of HSP. We 
list two important examples below, and for many more, see [Mos99]. 

Problem 3.4 (The Order Finding Problem (OFP)). Given an element a of a fi- 
nite group H , find r, the order of a. 



Let /: Z — > if be defined by f{x) = a^. Then note that 

fix) = f{y) ^a^^ay 
^ a^-y = 1 
<^ x-ye{t-r:teZ}. 

That is, f{x) = f{y) if and only if x and y arc in the same coset of the hidden subgroup 
K — rTj oi Z. By finding a generator for K we can determine r. Thus OFP is a special 
case of HSP. 



Problem 3.5 (The Discrete Logarithm Problem (DLP)). Given an element a of 
a finite group H and b — , find k. (This k is called the discrete logarithm of b to the 
base a.) 
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Suppose the order of a is r. Let /: x ^ if be defined by f{xi,X2) — a^^b^"^. 
Then note that 

<(=^ (xi - yi) + /c(x2 - ?/2) = (in Z^) 
■^=^ (xi,X2) - (z/i,y2) e {{-tk,t) : i e ZJ. 

That is, f{xi,X2) — f{yi,y2) if and only if {xi,X2) and {yi,y2) are in the same coset of 
the hidden subgroup K = ((— /c, 1)) of Z^. x Z^.. By finding a generator for K we can 
determine k. Thus DLP is a special case of HSP. 

We mention these two problems in particular because as we will see in the remainder 
of this thesis, if we have algorithms to solve these problems efficiently, we can break 
many of the classical cryptosystems that are in widespread use today. There do exist 
polynomial-time quantum algorithms that solve these problems, and we will discuss these 
algorithms later. In fact, there exist efficient quantum algorithms that solve the general 
HSP when the group G is Abehan, as described in [Mos99]. Some work has been done 
to design algorithms for HSP in non-Abelian groups, although success has been limited. 
For example, an efficient algorithm was presented in [EyOO] that is able to determine 
some information about the generator of a hidden subgroup in a dihedral group, but 
there is no known way to recover the subgroup in polynomial time from this information. 
In [IMSOl] some special cases of the problem were solved in non-Abelian groups, but the 
general case still remains open. 
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We now introduce one of the most important ingredients in many quantum algorithms: 
the Quantum Fourier Transform. 

3.3 The Quantum Fourier Transform 

The Quantum Fourier Transform (QFT) provides a way to estimate parameters that are 
encoded in a specific way in the phases and amphtudes of quantum states. We wiU begin 
with a small three-qubit example, and then define the general QFT. 

Assume a is an integer, < a < 8. Now suppose that we are given the three-qubit 
state 

(|0) + e^-'t |1)) (|0) + e^-'t |1)) (|0) + e'^'t |l)) 
(ignoring the normalisation factors) and we wish to find a. 

We can write a — 4a2 + 2ai + qq where each aj e {0, 1} and then rewrite the state as 

(|0) + e2-(^) |1)) (|0) + e^-(^) |1)) (|0) + e2-(^^^^¥^) |1)). 

Recall the Hadamard gate H from Section 2.3 and note that ignoring normalisation 

factors we could equivalently define it by the map 

\x) |0) + e2"*t |i) 

for X G {0, 1}. So if we apply = H to the first qubit, we obtain |ao). 
Next, we will try to determine oi. Consider the following two cases: 

1. If oo = 0, the second qubit is actually in the state |0) + e^'^^^^^ 
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2. If oo = 1, the second qubit is in the state |0) + e^'^^^^s^^ |1). In this case, if we 
apply a R-^ gate to the qubit, we get 

|0) + e2-(^)e-i|l) 
^|0) + e2-(¥)|l). 

Thus we will obtain a common state if we can decide, based on the state of the first 
qubit, whether or not to apply a R-| gate to the second qubit. In other words, we wish 
to apply a controlled- R_| gate to the first and second qubits. After this gate has been 
applied, our second qubit will be in the state |0) + e^'^**^^^ and we can apply an H 
gate to the second qubit to obtain the state \ai). 

Similarly, if we now apply a controlled-R_| to the first and third qubits, the third 
qubit will be in the state |0) + e 4 > Then, applying a controlled-R_| to the 
second and third qubits will put the third qubit into the state |0) + e^'^*^^) Finally, 
we can apply an H gate to the third qubit to obtain \a2). 

The sequence of gates we have described, illustrated in Figure 3.1, implements the 
transformation 

(|0) + e^-^t |1)) (|0) + e^-^t |i)) (|0) + e^-^t |1)) \a,) |ai) la^) 
and by reversing the order of the qubits, we obtain the 3-qubit state 

102) \ai) \ao) = \a) . 

We can generalise this quantum circuit so that if a is an integer with < a < 2" and 
a — 2"~^a„_i + 2"~^a„_2 + ■ • • + 2ai + Oq for aj e {0, 1}, we can start with the n-qubit 



3.3. THE QUANTUM FOURIER TRANSFORM 



25 




Figure 3.1: A 3-qubit Quantum Fourier Transform 



state 

(|0) + e'^'t |i)) (|o) + e'^'t |i)) . . . (|o) + e''^*^ |1)) (3.1) 
and transform it into the state 

kn-i) |an-2) ■ ■ • ki) ko) = \a) ■ 
As pointed out in [Mos99], the start state (3.1) can be rewritten as 

2"-l 

^ e^™^ \x) . 

x=0 

The states of this form, for a = 0,l,...,2" — 1 are called the Fourier basis states. The 
transformation we have discussed in this section therefore maps a state in the Fourier 
basis to its corresponding state in the computational basis. We call this transformation 
the inverse QFT; the QFT therefore maps states from the computational basis to the 
Fourier basis. 

We can define the QFT more generally as follows: 

Definition 3.6. For any integer m > 1, the m-bit Quantum Fourier Transform QFT^ 
acts on the vector space generated by the states 

|0),|l),...,|m-l) 
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and maps 



m—1 

a)^^ye^-'^^ \x) 



m 



We have described an efficient implementation of QFT^ in the case where m is 
a power of 2, as originally presented in [Cop94]. There are also efficient exact im- 
plementations of QFT^ in the case where the prime factors of m are distinct and in 
O(logm) [Sho94], or more generally when the prime factors are not necessarily distinct 
but still in O(logm) [Cle94]. It was shown in [Kit95] that for arbitrary values of m 
we can approximate QFT^ efficiently; very recently, it was shown that we can in fact 
implement QFT^ exactly for arbitrary values of m [MZ03]. 

We now make some important observations about the QFT. First, if we start in the 
state |0) and apply QFT^ we obtain the state 

^ m—1 

^ y e^--^ \x) 

-. m—1 
^ x=i) 

which is an equally weighted superposition of the m computational basis states. 

Also, given the state |0) = YI^Zq e^™'^ \x) where a; = ^ for some integer a, then 



by definition, if we apply the inverse QFT to |0) we will obtain the state \a) and we can 
recover ui exactly. If, on the other hand, ui is any real number, we can still use the inverse 
QFT to obtain an estimate of a;, and we can bound the distance of this estimate from 
the true value of u. More precisely: 

Theorem 3.7. Given an integer m > and the state |0) = Yl^=o e^™'^ \x), where uj 
is an any real number, applying QFT~^ to |0) and measuring the result yields an integer 
y satisfying the following conditions: 



3.4. SOLVING A SPECIAL CASE OF THE HIDDEN SUBGROUP PROBLEM 27 



• If Oi) — ^ for some integer a, then with probability 1, y — a. 

• Otherwise, with probability at least I — — a; I < — . 

For a proof of this theorem, see [Che03] . 

3.4 Solving A Special Case Of The Hidden Subgroup 
Problem 

We first consider the task of solving HSP where G = Z; that is, / is a function from Z 
to some finite set X, and f{x) = f{y) if and only if a; — y e rZ for some fixed (unknown) 
integer r. We will call this special case of HSP the Integer Hidden Subgroup Problem 
(IHSP). 

We choose an integer n > log \X\ and an integer m which is a power of 2, and we are 
given the unitary operator U/ which acts on HIm(8)EI„ and maps \x) \y) i — ^ \x) \y © f{x)). 
We can then implement the following algorithm, which will form the core of an algorithm 
to solve IHSP: 

Algorithm 3.8 (Core Of Solution To IHSP). 

1. Start in the state |0) |0) e H„. 

2. Apply QFT^ to the first register. 

3. Apply U/ to the system. 

4. Apply QFT~^ to the first register. 
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5. Measure the first register to obtain the integer y. 

6. Return y. 



We now have the following well-known result (see for example [NCOO]): 
Proposition 3.9. After Step 3 of Algorithm 3.8, our system is in the state 

_ r— 1 /m—l \ 
V k=0 \x=0 / 

where\iJk) = ^'i:e-^-'^-r\f{3)). 

j=0 

Proof. After Step 2 of Algorithm 3.8, our system is in the state X^^q^ I-^) I^)) 

applying U/ in Step 3 produces the state Yl^=o 1^) ^^^^ show that this 
state is in fact equal to Note that 

^ r— 1 /m—l \ r— 1 

k=0 \x=0 J j=0 

^ m—l r—l / r—l \ 

Now fix X and j, and consider the coefficients Ck — e'^'^^r^^-^^ for < /c < r. There 
are two cases: 

1. If a; = j (mod r) then ^{x — j) is an integer for all k, so each of the Ck is 1, and 
the sum of the is r. In this case, we say that there is constructive interference 
between the coefficients. 

2. If X ^ j (modr), consider ci = Note that c{ — 1 — 0, and since 
c{ — 1 — (ci — 1)(1 + ci + • • • + c{~^) and ci — 1 7^ 0, it must be true that 
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1 + ci H \-c{ ^ — 0. Furthermore, — Ck ior < k < r, so the sum of the Ck is 

0. In this case we say that there is destructive interference between the coefficients. 

Thus from (3.2), we see that 



since by the periodicity of /, f{x) — f{x mod r). Therefore the result is proven. n 

So after Step 3 our system is in the state -^Y7k=]){Yl^=o '^'^^^'^^ \^)) \^k)- Letting 
a; = ^, by Theorem 3.7 and by hnearity we can see that with probabihty at least 
applying QFT~^ to the first register and measuring the result yields an integer yk such 
that I ^ — - 1 < — , where k is chosen at random from |0, 1, . . . , r — 1|. 

We will now make use of a theorem from the theory of continued fractions. Given any 
real number A, we can use the theory of continued fractions to compute a sequence of 
rational numbers called "convergents" that approximate A with increasing precision. If A 
is positive and rational (say A = ^ for positive integers x and m) we have the following 
result (see for example [Ros93]): 

Theorem 3.10. Let x, m, k, and r be positive integers, with 





m—l 




m—1 



X 



k 



1 

2^ 



m 



r 



Then ^ 



appears as a convergent in the continued fraction expansion of —. 
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There exist efficient algorithms to compute the continued fraction expansion of ^, as 

described for example in [Kob94]. Clearly there exists at most one fraction | with b < r 
such that I — — t| < so when we find such a convergent j-, we know that t — - and 

I m I — 2r'' ' Oft' or 

we can stop computing convergents. The continued fractions algorithms guarantee that 
we will have to compute at most O(logm) convergents before we can stop. 

So by setting x equal to our measurement output i/k and running these algorithms, 
provided we have chosen m > 2r^, we can efficiently find a fraction f — ^■ 

Combining Algorithm 3.8 and Theorem 3.10, we obtain an efficient probabilistic quan- 
tum algorithm to solve IHSP if we have a bound on the size of r: 

Algorithm 3.11 (Solution To IHSP When r Is Bounded). 

1. Choose an integer m > 2r^. 

2. Repeat Algorithm 3.8 two times to obtain two values yki,yk2- 

3. Use the continued fractions algorithm to obtain fractions ^ such that 

bi,b2 < ^and 





ai 






02 


m 


bi 




m 


&2 



If two such fractions cannot be found, return FAIL. 

4. Let t = lcm(6i, 62)- If t > , return FAIL. 

5. If /(O) 7^ f{t), return FAIL. 

6. Return t. 
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Theorem 3.12. Algorithm 3.11 finds the correct value of r with probability at least 

If it does not return FAIL, it returns a multiple ofr. 

Proof. We run Algorithm 3.8 twice independently, obtaining results y^^ and yk2- The 
values — and ^ are estimates of ^ and ^, respectively. 

mm J. J. 1 r J 

By Theorem 3.7, 1^ — -^1 < — with probability at least for i = 1, and indepen- 
dently for i = 2. The probability that the inequality is satisfied for both % — \ and % — 2 
is therefore at least If this is the case, then since m > 2r^, by Theorem 3.10 the 
continued fractions algorithm will successfully find fractions |^ and ^ that satisfy the 
conditions in Step 3. Thus with probability at least || we will have found |^ = ^ for 
i = 1,2. 

Now note that gcd(A;i, r) is not necessarily 1 because ^ could be the reduced form of 
y-. It is true however that hi = ^^^l^f^, ^-^ , so lcm(6i,62) = gcd(fci k2 r) • whenever we have 
measured a we replace it by r (for mathematical convenience) we can treat k\ and k2 
as having been selected uniformly at random from the integers between 1 and r; so ki 
and /c2 are coprime with probability at least \ [CEMM98]. In this case, lcm(6i,62) = t 
as desired. Thus the algorithm finds the correct value of r with probability at least 

(P') (I) = P- 

The final test in Step 5 checks to make sure that i is a multiple of r. Thus the 
algorithm either returns FAIL or a multiple of r. D 

If we do not have a bound on r to begin with, we can guess at an initial value of 
m, and repeat Algorithm 3.11 three times, say. If all three repetitions return FAIL, we 
can assume that our m is not large enough, double it, and try again. Eventually, we will 
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obtain an m > 2r^, and with high probabihty, one of the repetitions of the algorithm for 
that value of m will succeed. The number of iterations of this process that are required 
to ensure m > 2r^ is polynomial in logr. 

Thus we have an efficient quantum algorithm to solve IHSP. It should be noted that 
if / is given to us as a "black box", there is no efficient classical algorithm to solve IHSP: 
it is a problem for which an efficient quantum algorithm exists but for which no known 
efficient classical algorithm exists. 

3.5 Solving The Order Finding Problem 

Given an element a of a group H, to solve OFF we must compute r, the order of a. As 
illustrated in Problem 3.4, OFF is a special case of IHSF where f{x) — a^. Thus, the 
algorithm we have described in Section 3.4 allows us to solve OFF in polynomial time. 
A polynomial-time quantum algorithm to solve OFF was first proposed in [Sho94]. 

3.6 Solving The Factoring Problem 

In this section, we describe how to find a non-trivial factor of an integer in polynomial 
time using a quantum computer. Given a polynomial-time algorithm to solve OFF we can 
use a classical reduction to develop an algorithm that allows us to find a non-trivial factor 
of an integer in polynomial time. This reduction was first described by Miller in [Mil76]. 
The idea of solving the factoring problem using the polynomial-time quantum algorithm 
for OFF and Miller's reduction was proposed in [Sho94]. The resulting quantum factoring 
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algorithm has become the most famous quantum algorithm. 

We present a sketch of Miller's reduction. Suppose we wish to factor a positive integer 
n. First, we assume that n is odd, since factors of 2 are easy to detect. We also assume 
that n is not a prime power, since there are efficient classical algorithms to determine 
the factors of n in this case. Consider the following algorithm: 

Algorithm 3.13 (Finding A Non-Trivial Factor). 

1. Choose an integer a at random from {0, 1, . . . , n — 1}. 

2. Let s — gcd(a,n). If s > 1 then return s. Otherwise, a e Z*. (Recall that Z* is 
the multiplicative group of all integers (modulo n) that are coprime with n.) 

3. Apply Algorithm 3.11 three times with m > 1v? to attempt to determine the order 
of a in Z* . If all three results are FAIL, return FAIL. Otherwise, take r to be the 
minimum non-FAIL output. 

4. If r is odd, return FAIL. 

5. Let t = gcd(a'^/2 - 1, n). If i = 1, return FAIL. 

6. Return t. 

Theorem 3.14. Algorithm 3.13 correctly returns a non-trivial factor ofn with probabil- 
ity at least |. 

Proof. For any integer ae{0,l,...,n — 1} which is coprime with n and whose order in 
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Z* is r, we know that 

= 1 (mod n) 
— 1 = (mod n) 
(a^/^ - 1) (a''/^ + 1) = (mod n) (if r is even) . 

Since r is the order of a, we know that a''/^ — 1^0 (mod n). So if 

1. r is even, and 

2. a''/2 + 1^0 (mod n), 

then i = gcd(a''/^ — ^^n) must be a non-trivial factor of n. 

We now show that a randomly selected a satisfies both of these conditions with 
probability at least 1 — (|)*^~^, where k is the number of distinct odd prime factors of 
n. Let n = Y['i=iP? where the Pi are distinct odd primes, and let be the order of a in 
Z*ej. Then r is the least common multiple of the rj. Consider the multiplicity of 2 in the 
prime factorisation of each rj. 

1. If each of these multiphcities is (ie. each is odd) then r is odd. 

2. If each of these multiphcities is larger than but they are all equal, then rj does 
not divide | for any i, and thus it must be true that a''/^ = — 1 (mod p^*) for each 
i. Then by the Chinese Remainder Theorem, a^^^ = —1 (mod n). 

3. Otherwise, there is some i for which a''/^ = 1 (mod p"*) and thus a'"/^ ^ —1 
(mod n). 



3.6. SOLVING THE FACTORING PROBLEM 



35 



Thus a randomly selected a will fail to satisfy both required conditions if and only 
if the multiplicities of 2 in the prime factorisations of the rj arc all the same. By the 
Chinese Remainder Theorem, there is a one-to-one correspondence between Z* and the 
set {(xi,...,Xfc) : Xi e Z*ei,l < i < k}. Thus selecting an a at random from Z* is 
the same as selecting a fc-tuple at random from the above set. For each i, Z*^^ is cyclic 

Pi 

since pi is odd; so if we choose a random element Xi with order rj, the probability of 
obtaining a particular multiplicity of 2 in the prime factorisation of is at most |. Thus 
the probability of obtaining the same multiplicity for each i is at most (|)*^~^. In other 
words, the probability of choosing an appropriate a is at least 



If such an a is chosen, the algorithm will succeed in finding a non-trivial factor of n 
provided that at least one of the apphcations of Algorithm 3.11 is successful in correctly 
determining r, the order of a in Z*. By Theorem 3.12 each individual application of 
Algorithm 3.11 succeeds with probability at least p. Thus the probability that at least 
one of them succeeds is 



Combining (3.3) and (3.4), we see that the probability that the entire algorithm 

succeeds is at least 



Since we have assumed n is not a prime power, k > 2. Thus the probability of success is 




l\k-l 



(3.3) 



1 -(1- (f ))'>§■ 



(3.4) 




at least (|) (|) > i. 



□ 
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By applying this algorithm recursively, we can split n into its prime factors. We 

therefore have a polynomial time probabilistic quantum algorithm to solve the factoring 
problem. 

The core of this quantum factoring algorithm has been successfully implemented on 
a small quantum computer to attempt to factor the integer 15 into its prime factors (3 
and 5). Scientists are still only able to tackle problems with small parameter sizes using 
the current implementations of quantum computers, but the successful implementation 
of this and other quantum algorithms indicates that the theory currently being developed 
can actually be applied to a physical realisation of a quantum computer. 

3.7 Solving Another Special Case Of The Hidden 
Subgroup Problem 

Next consider the task of solving HSP where G = Zp x Zp] that is, / is a function from 
Zp X Zp to some finite set X, and f{xi, X2) = f{yi, 1/2) if and only if (xi, X2) and {yi, 7/2) 
are in the same coset of some hidden subgroup K (which is of size p) . We will call this 
special case of HSP the Prime Hidden Subgroup Problem (PHSP). In this section we will 
present a sketch of a well-known algorithm to solve this special case; the algorithm is a 
generahsation of Algorithm 3.8 and can be found also in [NCOO], for example. 

We choose an integer n > log \X\. We use the natural generahsation of the definition 
of U/; that is, U/ implements the unitary transformation 

\y) 1^) — ' \y) k © y)) ■ 
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We also assume that we can implement QFT^, exactly. In practice we would likely use 
an approximation of QFT^, for example by performing QFT2i where 2' ^ p; in this case 
the algorithm still succeeds with high probability as formalised in [HH99]. However, by 
using the methods described in [MZ03] we could instead implement QFT^ exactly and 
subsequently obtain an exact algorithm for PHSP. 

Consider the following algorithm, which will form the core of an algorithm to solve 
PHSP: 

Algorithm 3.15 (Core Of Solution To PHSP). 

1. Start in the state |0) |0) |0) in Hp ® Hp ® H„. 

2. Apply QFTp to each of the first two registers. 

3. Apply U/ to the system. 

4. Apply QFT~^ to each of the first two registers. 

5. Measure the first two registers and output the ordered pair {s,t). 



Define the set T — {{s,t) : su + tv = (mod p) for every {u,v) e K} . Note that 
|T| = p. For each {s, t) define the state 

{u,v)&G/K 

(Each {u,v) in the above sum is a representative of one of the cosets of K in G.) We 
now prove a result similar to Proposition 3.9: 
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Proposition 3.16. After Step 3 of Algorithm 3.15, our system is in the state 

PVP \x=0 J \y=0 J 

Proof. After Step 2 of Algorithm 3.15, our system is in the state 

and applying U/ in Step 3 produces the state 

- E \x)\y)\f{x,y)). 

We will show that this state is in fact equal to 
Note that 



^ (s,t)eT \{x,y)€G J {u,v)eG/K 

= ^ E E f E e-^^-^f-) ) |.) I,) |/(«. „)> (3.5) 

{x,y)eG{u,v)eG/K \(s,t)eT J 

s(x—u)+t(y—v) 

Now fix X, y, u, and v, and consider the coefficients C(^s,t) = e p for 

{s,t) e T. There are two cases: 

1. If {x,y) and {u,v) are in the same coset of K, then (x — li, y — v) e K. By the 
definition of T, s(x — u) + t(y — v) = (mod p). Thus jg integer, 
each of the ci^s,t) is 1, and the sum of the C(s is p. In this case, we say that there 
is constructive interference between the coefficients. 

2. If {x, y) and (ti, v) are in different cosets of /T, then using a method similar to that 
in the proof of Proposition 3.9 we can show that the sum of the C(^s,t) is 0. In this 
case we say that there is destructive interference between the coefficients. 
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Prom (3.5) we see that 



{x,y)(^G {u,v)(^G/K \{s,t)GT J 



where {u,v) is the representative for the coset containing {x,y). Therefore, 

1'^) = ^ E \^)\y)\my)) 

since by definition f{u, v) — f{x, y). Thus the result is proven. CH 



So after Step 3 our system is in the state 

{s,t)eT \x=0 / \y=0 J 

Assuming we can implement QFT^ exactly, then we can see intuitively that by apply- 
ing QFT~^ to each of the first two registers and measuring the results we will obtain, 
respectively, random values s and t such that (s, t) G T . 

By running Algorithm 3.15 several times to obtain several random elements of T, we 
can use methods from linear algebra to determine a generating set for K. (In fact, in 
some special cases, such as the solution to the Discrete Logarithm Problem discussed 
below, it is sufficient to run Algorithm 3.15 only once.) 

It follows, therefore, that Algorithm 3.15 forms the core of an efficient quantum 
algorithm to solve PHSP. 
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3.8 Computing Discrete Logarithms 



Given a generator a of a group H of order n, and b — a'',to solve DLP we must compute 
k. As illustrated in Problem 3.5, DLP in a group of prime order is a special case of 
PHSP. Thus, the algorithm from the previous section allows us to solve DLP in a group 
of prime order in polynomial time. 

If we wish to solve DLP in a group of general order, we can use a slight modification 
of the classical Pohlig-Hellman algorithm, which was proposed in [PH78]. In short, given 
the prime factorisation n — pl^ ■ ■ ■ where the Pi are distinct primes, the algorithm 
computes ki — k mod for each i, and then uses the Chinese Remainder Theorem to 
recombine these values into the discrete logarithm k. We modify the original algorithm 
in a natural way by using some quantum algorithms as subroutines. 

Algorithm 3.17 (Solution to DLP). 

1. Apply Algorithm 3.13 recursively to split n into its prime factorisation, say 
n — pI^ ■ ■ -p^ where the Pi are distinct primes. 

2. For i from 1 to w do the following: 

2.1 Set p = Pi and e = e^. 

2.2 Set 7 = 1 and Li = 0. 

2.3 Compute a = dP-l'^. 

2.4 For j from to e — 1 do the following: 

Compute 7 = ^c^i-^'^'^ and /3 = {h^'^Y^^""^ ■ 

Compute = log„ /3 using the quantum algorithm from Section 3.7. 
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2.5 Set ki^lo + lip-{ h le-iP""'^- 

3. Use the Chinese Remainder Theorem to combine the ki to determine the discrete 
logarithm k. 

4. Return k. 

The element a computed in each iteration is an element of order p, since — 1 and 
a — a"/^. Thus the instance of DLP in Step 2.4 is an instance of DLP in the group (a), 
which is a group of order p. We can therefore indeed apply the quantum algorithm from 
Section 3.7 to compute Ij. For a proof that the remainder of the algorithm is correct, 
see [PH78]. 

To find a factor of n using Algorithm 3.13 requires time polynomial in log n, and there 
are O(logn) factors, so the factoring in Step 1 requires polynomial time. In total, the 
number of iterations of the inner loop is Y^^=\ (which is in O(logn)) and each iteration 
uses the efficient quantum algorithm to compute a discrete logarithm. Algorithm 3.17 is 
therefore an efficient quantum algorithm to solve DLP. 

This quantum algorithm will succeed for any group if, provided that we can effi- 
ciently perform the group operation, and that each group element can be represented 
by a unique quantum state. (If a single group element can be represented by multiple 
quantum states, these quantum states will not interfere with one another as required.) 
Of considerable interest is the group of points on an elliptic curve over a finite field, which 
is fast becoming an important group in cryptographic applications (see Chapter 6). For 
a detailed discussion of quantum circuits for solving DLP in the group of points on an 
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elliptic curve over GF{p) see [PZ03]. A polynomial-time quantum algorithm to solve 

DLP was first proposed in [Sho94]. 

This chapter has introduced several quantum algorithms, most importantly algo- 
rithms to solve OFP, the factoring problem, and DLP. These algorithms are the main 
tools that we will use in the subsequent chapters as we analyse various public key cryp- 
tosystems in a quantum setting. Further quantum algorithms that depend on more 
specialised concepts will be described as the required definitions and results are intro- 
duced. 



Chapter 4 

The RSA Cryptosystem 



The RSA cryptosystem, the first pubHshed reahsation of a pubhc key cryptosystem, was 
proposed in 1977 by Rivest, Shamir, and Adleman [RSA78]. It is similar to the system 
proposed in [Coc73], although that system was not made public until later. Since the late 
1970s, the RSA cryptosystem has become the most widely used public key encryption 
scheme in many applications from electronic commerce to national security. 

4.1 The Cryptosystem 

To generate an RSA key, Alice performs the following steps: 

Algorithm 4.1 (RSA Key Generation). 

1. Alice selects at random two distinct primes p and q. 

2. She calculates n — pq and (p{n) = (p — l)(g — 1). 
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3. She selects some integer e, 1 < e < such that gcd(e, = 1. 

4. She computes the unique integer d, 1 < d < (f){n), such that ed= 1 (mod (p{n)). 

5. Ahce's pubhc key is {n, e), and her private key is d. 

To encrypt a message for Ahce using the RSA cryptosystem, Bob performs the fol- 
lowing steps: 

Algorithm 4.2 (RSA Encryption). 

1. Bob obtains Alice's public key (n, e). 

2. He converts the message to an integer m, such that < m < n — 1. 

3. Bob computes the encrypted message c — rrf mod n. 

To recover the original message, Alice does the following: 
Algorithm 4.3 (RSA Decryption). 

1. She uses her private key d and computes m — d^ mod n. 

Theorem 4.4. RSA decryption works properly. 

Proof. First note that since ed=l mod 0(n) there exists some integer t such that ed — 
l + t(t){n). 

We now have two cases. 
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1. If gcd(m,p) = 1, 

mF~^ = 1 (mod p) (by Fermat's Little Theorem) 

^i+tHn) = ^ (jnod p). 

2. If gcd(m,p) — p, 

m = (mod p) 

^l+tct>{n) = Q (modp). 

Thus in both cases, 77j,i+*«^(") = m (modp). In a similar way, we can prove that 
^i+t(t>{n) = ^ (mod q). Combining these two congruences, since p and q are distinct 
primes, 

m^'^ = m (mod n) 
c'^ = m (mod n) 

so decryption indeed works properly. CH 

4.2 Security Of The System 

The security of the RSA cryptosystem is based on the hardness of the RSA problem, 
which is the problem of finding e*^ roots in the ring Z„ = Z/nZ. 
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Problem 4.5 (The RSA Problem (RSAP)). Given n, e, and rrf mod n for some 
m e find m. 

Determining the plaintext from an RSA ciphertext is equivalent to solving RSAP, 
which is thought to be hard for a classical computer. Alternatively, if Eve can successfully 
factor n to recover p and q, she can compute 0(n) and d just as Alice did when she 
generated the keys, and obtain complete knowledge of Alice's private key. It has been 
conjectured that these two attacks are computationally equivalent (that is, solving RSAP 
is equivalent to factoring n) but this conjecture has not been proven. However, it can be 
shown that determining the private key d from the public key (n, e) is indeed equivalent 
to factoring n [MvOV96], and most current attacks on the RSA cryptosystem attempt 
to factor n. 

The problem of factoring integers has been studied in detail for many years; some of 
the current known classical factoring algorithms are hsted in Table 4.1. Other than the 



Algorithm 



Expected running time 



(neglecting logarithmic factors) 



Pollard rho 



Trial division 



0(nV2) 
0(nV4) 



Quadratic sieve 




Number field sieve exp [ 0((logn)^/^(loglogn 



,)^/3) ] 



Table 4.1: Some classical factoring algorithms 



trial division algorithm, the algorithms in Table 4.1 are probabilistic algorithms. The 
running times presented in the table are upper bounds on the expected running times of 
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the algorithms, taken over the random bits used as input. In general, rigorous analysis 
of an algorithm leads to an expected running time that is valid for any input. In the case 
of the last two algorithms above, however, some additional assumptions on the input are 
required in order for the expected running times to be valid; so the estimates are heuristic 
ones. (These assumptions are conjectured to hold true for all inputs, but the conjectures 
are unproven.) There are also algorithms that have rigorously proven expected running 
times of exp [ O ((log n)^/^ (log log n)^/^) ] , such as the algorithm in [Pom87]. 

The last two algorithms in Table 4.1 are both "sieving" algorithms, and they operate 
on the same basic premise: each of them tries to find positive integers x and y less than 
n such that 

x'^ = (mod n), and 
X ^ ±y (mod n). 

Once two such integers have been found, we know that 

{x — y){x + y) = (mod n) 

and n does not divide either x — y ov x + y. Thus gcd(a; — n) is a non-trivial factor of 
n. As mentioned earlier, these algorithms are randomised: they find congruences of the 
desired form by choosing random integers and performing specific series of operations on 
them. 

Another popular factoring algorithm is the elliptic curve method proposed in [Len87]. 
This algorithm works especially well when the smallest prime factor of n is much smaller 
than ^/n: the algorithm's expected running time is exp [ (2 + £)(logp)-^/^(loglogp)-'^/^ ] 
where p is the smallest prime factor of n and £ ^ as p ^ oo. (This is a heuristic 
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estimate.) In general, the two prime factors of an RSA modulus are chosen to be ap- 
proximately equal in size, and so the elliptic curve algorithm may not run significantly 
faster than the other algorithms in Table 4.1; on the other hand, it requires considerably 
less storage space [Kob94] . 

For more details on these classical factoring algorithms, see for example [Kob94] 
or [Coh93]. 

Because all of these algorithms require superpolynomial time, the RSA cryptosystem 
is still considered secure against classical factoring attacks for sufficiently large n. Gen- 
erally, a modulus of 1024 bits or more is thought to be secure against today's computers. 
Recent developments in specialised hardware indicate that this modulus length may not 
be sufficient for much longer, however: the device proposed in [ST03] would reportedly 
cost $10 million and would be capable of factoring a 1024-bit modulus in less than a year. 

We do not know of an efficient classical algorithm for factoring; so the RSA cryptosys- 
tem may be hard to break with any classical algorithm. However, as we have seen in 
Section 3.6, Algorithm 3.13 is a probabilistic polynomial-time quantum algorithm that 
solves the factoring problem. Thus the RSA cryptosystem is insecure in a quantum 
setting. 

It is also interesting to note that given a particular RSA ciphertext c, we can use 
a quantum computer to solve RSAP directly; that is, to determine the corresponding 
plaintext m without having to factor n [CEMM98] . Since e is relatively prime to 0(n), 
we know that m and rrf = c have the same order, say r. To determine m from c, we 
first give c as input to the quantum order-finding algorithm described in Section 3.5, and 
obtain r as output. Next we compute the unique a such that ea = 1 (mod r). Finally, 
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we compute 

c" mod n 

— rrf"" mod n 

— m 

and recover the plaintext m. 



Chapter 5 

The Rabin Cryptosystem 



The Rabin cryptosystem was proposed in [Rab79] . Like the RSA cryptosystem, an adver- 
sary can attack the scheme by factoring a product of two large primes. However, unhke 
the RSA cryptosystem, it has been proven that performing this factorisation is compu- 
tationally equivalent to determining the plaintext corresponding to a given ciphertext. 
If we assume that the factoring problem is intractable, then the Rabin cryptosystem is 
provably secure against a passive adversary. 

5.1 The Cryptosystem 

To generate Rabin keys, Alice does the following: 
Algorithm 5.1 (Rabin Key Generation). 

1. Alice selects two distinct primes p and q. 

2. She calculates n — pq. 
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3. Alice's public key is n, and her private key is (p, q). 



To encrypt a message for Alice using the Rabin cry ptosy stem, Bob does the following: 
Algorithm 5.2 (Rabin Encryption). 

1. Bob obtains Alice's public key n. 

2. He converts the message to an integer m, such that < m < n — 1. 

3. Bob computes the encrypted message c = mod n. 

To recover the original message, Alice does the following: 
Algorithm 5.3 (Rabin Decryption). 

1. She computes the four square roots of c mod n. 

2. Somehow, she decides which of the four square roots corresponds to the original 
message sent by Bob. 

One problem with the Rabin cryptosystem is that in order to recover the original 
message, Alice must somehow choose between the four square roots of the ciphertext. 
One way to avoid this problem is to include some redundancy in the message before 
encrypting it, so that with high probability only one of the four square roots will have 
this redundancy. 

If p and q are chosen to be congruent to 3 mod 4, there is a simple algorithm to 
calculate the four square roots of c: 
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Algorithm 5.4 (Computing Squeire Roots). 

1. Alice computes r = c*^p+^)/^ modp and s = c^i+^^/^ mod q. 

2. She uses the Extended Euchdean Algorithm to find integers a and b such that 
ap + bq = 1. 

3. She calculates x = {aps + bqr) mod n and y = {aps — bqr) mod n. 

4. The four square roots of c are x mod n, —x mod n, y mod n, and — y mod n. 



The steps of the algorithm correspond to finding the square roots of c modulo p and 
q, and then combining them using the Chinese Remainder Theorem. It is easily verified 
that the resulting integers are indeed the four square roots of c. Note that if one or both 
of p or is congruent to 1 mod 4, the square roots can still be efficiently computed, but 
the algorithm is more complicated [MvOV96]. For this reason, during the key generation 
procedure it makes sense to choose the primes p and q to be congruent to 3 mod 4. 

It is also interesting to note as in [MvOV96] that Rabin encryption is more efficient 
than RSA encryption, since it requires a single modular squaring operation. (RSA en- 
cryption will require more squaring and multiplication operations since the encryption 
exponent is always greater than 2.) The efficiencies of the RSA and Rabin decryption 
algorithms are comparable. 
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5.2 Security Of The System 

If an adversary can factor Alice's modulus n and recover the primes p and q, then the ad- 
versary has complete knowledge of Alice's private key and hence the scheme is broken. As 
mentioned previously, in fact it is easy to see that decrypting Rabin ciphertexts is com- 
putationally equivalent to the factoring problem. If we can decrypt a Rabin ciphertext, 
c, we can find the four square roots of c mod m, say ±x, ±y, where y ^ ±x (mod n). 
Then we know that c = (mod n) and c = xp" (mod n), or in other words, = 
(mod n). (This congruence is one of the type that the sieving algorithms in Section 4.2 
attempt to find.) Then we know that {x — y){x + y) = (mod n), so gcd{x — y, n)is a 
non-trivial factor of n. 

Because of this equivalence, factoring algorithms like the ones mentioned in Chap- 
ter 4 are the only available tools for a passive adversary. Since the best known classical 
factoring algorithms require superpolynomial time, the scheme is thought to be secure 
against a passive classical adversary. However, an adversary with a quantum computer 
can factor in polynomial time using Algorithm 3.13. Hence, the Rabin cryptosystem is 
not secure in a quantum setting. 



Chapter 6 

The ElGamal Cryptosystem 



The ElGamal cryptosystem was proposed in [E1G85], and is based on the hardness of 
the Discrete Logarithm Problem (DLP). It may be used with any finite cyclic group, 
although as stated in [MvOV96] in order for the group to be a good choice, it should 
satisfy two main criteria: 

1. the group operation should be easy to apply so that the cryptosystem is efficient, 
and 

2. DLP in the group should be computationally infeasible so that the cryptosystem is 
secure. 

Some examples of groups for which these criteria seem to be met are the multiplicative 
group Z* of the integers modulo a prime p, and the group of points on an elliptic curve 
over a finite field. For more examples of groups where the ElGamal cryptosystem is 
thought to be secure, see [MvOV96]. 

55 



56 CHAPTER 6. THE ELGAMAL CRYPTOSYSTEM 

6.1 The Cryptosystem 

To generate ElGamal keys, Alice does the following: 
Algorithm 6.1 (ElGamal Key Generation). 

1. She selects a cyclic group G that meets the above criteria. Let n denote the order 
of G. 

2. She finds a generator a oi G. 

3. Alice selects a random integer a such that 1 < a < n — 1, and computes a". 

4. Her public key is {G, n, a, a") and her private key is a. 



To encrypt a message for Ahce using the ElGamal cryptosystem, Bob does the fol- 
lowing: 

Algorithm 6.2 (ElGamal Encryption). 

1. Bob obtains Alice's public key {G, n, a, a"). 

2. He converts his message to an element m & G. 

3. He selects a random integer k such that 1 < k < n — 1. 

4. Bob computes ^ — and S — m{a'^)'^. 

5. The ciphertext is c— (7, 5). 



To decrypt the ciphertext, Alice performs the following steps: 
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Algorithm 6.3 (ElGamal Decryption). 

1. Alice uses her private key a to compute 7" and then 7^". 

2. She computes m = 7~"5. 

Theorem 6.4. ElGamal decryption works properly. 
Proof. Note that 

= 7-«m(Q;")'= 
= m7-"(a'=)" 
= m7~"7" 
= m 

so decryption indeed works properly. CH 

6.2 Security Of The System 

It is clear that an attacker can compute Alice's private key a by finding the discrete 
logarithm of a" to the base a, both of which are public quantities. Also, if the attacker 
can find the particular value of k that was used to encrypt a message, she can decrypt 
the message, but to determine k she must find the discrete logarithm of 7 to the base 
a. These facts imply that the security of the scheme depends on the hardness of DLP in 
the group G. 
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There are many classical algorithms to solve DLP. These algorithms can be divided 
into two main categories: algorithms that work in any group G, and algorithms that 
depend on a particular group G. 

In the first category are algorithms like Shanks's baby-step giant-step algorithm, 
which runs in 0(n}^^) time (ignoring logarithmic factors) [Coh93]. The Pohlig-Hellman 
algorithm mentioned in Section 3.8 also works in any group, and it performs especially 
well if the factors of n are known and are all small; however, in the worst case it also 
requires 0(n^^^) time. In fact, in a "generic" group G of prime order p (that is, a group 
where the elements have unique encodings but where the encodings do not reveal any 
group structure that algorithms can take advantage of) a lower bound on the complexity 
of any classical algorithm to solve DLP is Q(p^/^) steps [Sho97]. Some algorithms may 
take advantage of the structure of a specific group, however, which gives rise to the second 
main category of algorithms for DLP. 

In this second category are algorithms like the index calculus algorithms, which work 
in the multiplicative group of GF{p^), where p is a prime and A; is a positive inte- 
ger. The index calculus algorithms are similar in structure to the sieving algorithms 
for factoring discussed in Section 4.2, and there are methods with a rigorous expected 
running time of exp [ 0((logp'^)^/^(loglogp'^)^/^) ]. There is also an analogue of the 
Number Field Sieve which is slightly more efficient, with an expected running time of 
exp [ 0((logp*^)^/^(loglogp'^)^/^) ] (although this is a heuristic estimate). Even though 
they run in subexponential time, like the best known factoring algorithms, these algo- 
rithms for DLP still require superpolynomial time. 

However, Algorithm 3.17 requires time polynomial in logn, and thus is an efficient 
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quantum algorithm to solve DLP in any group G. The existence of this efficient quantum 
algorithm implies that the ElGamal cryptosystcm is not secure in a quantum setting: an 
attacker could use Algorithm 3.17 to compute Alice's private key a from her public key 
a". Alternatively, the attacker could use Algorithm 3.17 to determine k from 7 for a 
particular message and hence decrypt the message by computing 5{a"')~'' = m. 



Chapter 7 

The McEHece Cryptosystem 



The McEliece cryptosystem was proposed in [McE78], and is based on problems in alge- 
braic coding theory. To generate a key pair, Alice constructs a linear error-correcting code 
that has an efficient decoding algorithm, and then uses some secret parameters to trans- 
form it into a different linear code with no apparent efficient decoding algorithm. The 
secret parameters that Alice has chosen allow her to perform the inverse transformation 
and then use an efficient algorithm to decrypt the ciphertext she receives. 



7.1 The Cryptosystem 

Before describing the McEliece cryptosystem, we give a brief introduction to the theory 
of error-correcting codes. For more information about error-correcting codes and infor- 
mation theory see, for example, [McE77]. Originally, coding theory was developed to 
allow data to be reliably transmitted through a channel that may distort the data during 
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transmission. The idea of an error-correcting code is to introduce a certain amount of 

redundancy into the message being transmitted, so that even if errors do occur, they 
can be detected and possibly corrected. It should be noted that these codes are not 
"encryption schemes" , in that they are not designed to protect the confidentiality of the 
data, and they have publicly known encoding and decoding procedures. 

Codes can be defined over any set of messages, but for our purposes, we will only 
consider binary codes, which use messages constructed from the alphabet Z2 = {0, 1}. If 
we wish to send messages of k bits in length, we consider our message space to be the 
set of A;-tuples with entries from Z2. The idea of a code is to choose some n > k and 
define a one-to-one mapping between the message space and a subset of size 2*^ of the set 
of binary n-tuples. This subset is called a code, and the elements of the subset are the 
code words. Since there are more bits in each code word than there are in each message, 
the code words can carry more information than the messages: namely the redundancy 
that we need to achieve the goals stated above. 

We begin with some basic definitions. 

Definition 7.1. Let x be an n-tuple with entries in Z2. The Hamming weight of x, 
denoted w{x), is the number of components of x that are equal to 1. 

Definition 7.2. Let x and y be n-tuples with entries in Z2. The distance between x and 
y, denoted d{x,y), is the number of components in which x and y differ. Equivalently, 
d{x,y) = w{x © y). 

We now introduce the concept of a linear code, which is one of the most common 
types of error-correcting codes. 
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Definition 7.3. Let VJ^Lt) he the n- dimensional vector space consisting of the n-tuples 

with entries from Z2. Let k <n. A {k,n) linear binary code is a k-dimensional subspace 

ofVniZ^). 

Definition 7.4. Let C he a linear binary code. A generator matrix for C is a k x n 
matrix with entries from Z2 whose rows form a basis for C . 

Let m be a k-h\i (row) vector. The code word corresponding to the message m is the 
n-bit (row) vector mG, where G is the generator matrix for the code. When the code 
word is transmitted, errors may be introduced by the communication channel or by a 
mahcious third party, and ideally the receiver will be able to detect and correct these 
errors. The decoding procedure (that is, the process of recovering the original message 
from the received binary string) may be complicated, and varies depending on the type 
of code being used. The codes that are of interest in coding theory are those with which 
the receiver can detect and correct a large number of errors relative to the size of the code 
words, and for which the decoding procedure is efficient. When describing a code, we 
often state its error-correcting capability, which is an integer representing the number of 
errors that may be introduced in a transmitted code word without affecting the receiver's 
abihty to properly decode the received binary string. We also often state the distance of 
the code, which is the minimum distance between any two codewords. 

However, there are many linear codes for which there apparently exists no efficient de- 
coding procedure. In fact, given a generator matrix for a random subspace of ^1(^2) the 
problem of decoding a received binary string can be shown to be NP-complete [BMvT78]. 
The security of the McEliece cryptosystem is based on the hardness of this general de- 
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coding problem. The cryptosystem uses a specific type of code called a binary Goppa 
code. 

Definition 7.5. Let GF{2}) denote the finite field with 2^ elements. Let G{x) he a poly- 
nomial of degree s with coefficients in GF{2^) and let ai, GF{2^) he chosen such 
that G{ai) ^ for i = 1, . . . ,n. These parameters define a hinary Goppa code in which 
c — (ci, . . . , c„) e Vn{'^2) is a codeword if and only if 

n 

Ci{x — ai)~^ = (mod G{x)). 

1=1 

Proposition 7.6. A Goppa code defined as above is a {k,n) linear binary code with 
k > n — Is and distance at least s + 1. 

The bounds given in this proposition are not necessarily tight bounds, and many 
choices of parameters may result in codes with larger k and larger distances. Goppa 
codes are among the classes of codes that are of interest in coding theory because they 
have an efficient decoding procedure, which is described in [McE77]. The idea of the 
McEliece cryptosystem is to transform a randomly selected binary Goppa code into a 
general linear code using some secret parameters. Without knowledge of these secret 
parameters, the best decoding procedures for the resulting general code are thought to 
require supcrpolynomial time; with knowledge of the secret parameters, the general code 
can be transformed back to a Goppa code, where an efficient decoding procedure does 
exist. The cryptosystem is described below. 

To generate a McEliece key, Alice performs the following steps: 
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Algorithm 7.7 (McEliece Key Generation). 

1. Alice constructs a linear t error-correcting Goppa code C with a. k x n generator 
matrix G. 

2. Alice selects a kxk invertible matrix S (called a "scrambling matrix" ) and an n x n 
permutation matrix P. 

3. She computes G = SGP. 

4. Alice's public key is G, and her private key is {S, G, P). 

Note that the matrix G is a generator matrix for a general linear code that is related 
to C, but for which there is no apparent efficient decoding algorithm. 

To encrypt a message for Alice using the McEliece cryptosystem, Bob performs the 
following steps: 

Algorithm 7.8 (McEliece Encryption). 

1. Bob obtains Alice's public key G. 

2. He converts the message to a k-h\t binary vector m. 

3. He selects a random n-bit vector e of weight t. 

4. Bob computes the encrypted message c = mG ® e. 



In other words, to encrypt a message, Bob starts with the message vector, computes 
the corresponding codeword in the general linear code, and adds a random "error" vector 
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to the message. Since the new code has no apparent efficient decoding algorithm, it is 
hard for an attacker to correct the error and recover the original message. However, since 
Alice knows the matrices S and P she can use them to transform the codeword from this 
new code back to the original code, and then use the efficient decoding algorithm for that 
code. 

In other words, to recover the original message, Ahce does the following: 
Algorithm 7.9 (McEliece Decryption). 

1. She computes cP'^ = {mS)G © eP'^. 

2. Since P is a permutation matrix, eP~^ also has weight t. Alice can therefore use 
the efficient decoding algorithm for the original Goppa code C to remove the error 

eP^^ and recover the codeword mS. 

3. She applies to recover m. 



7.2 Security Of The System 

The best known classical attack on the McEhece cryptosystem is described in [AM88]; 
minor improvements to the algorithm have been suggested in [LB89] and others, however 
the general idea of the attack remains the same. 

Suppose the attacker obtains a ciphertext c = mG©e. She chooses k components of c, 
and uses them to form the shorter vector c. Let the positions of the chosen components be 
ii, i2, • • • , ik, so c = (q^, Q2, . . . , qJ. Let e = (6^1,6^2, . . . , e^^) denote the corresponding k 
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components of e, and let G denote the square matrix formed by taking the corresponding 
k columns of G. Then 

c = mG ® e 

and provided G is invertible, 

(c® e)^"^ = m. 

Thus if the k components of e all happen to be 0, the attacker is able to recover m 
by computing cG~^ — m. The idea of the attack is to choose various sets of components 
until a set is found for which those k components of e are all 0, at which point the message 
will be recovered. 

It is important for the attacker to have a method to recognise that the correct mes- 
sage m has been obtained, especially in cases where the message does not contain any 
redundancy; such a method was proposed in [LB89]. The method can be summarised in 
the following proposition: 

Proposition 7.10. The attack has succeeded (that is, cG~^ — m) if and only if 
w{c® cG~^G) < t, where t is the error- correcting capability of C. 

Proof. First consider the case where cG~^ is indeed the true message m. Recall that 
c = mG ® e, so 

w{c © c(5"^(5) = w{mG © e © cO'^G) 
= w{mG © e © mG) 
= w{e) 
< t. 
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Next consider the case where cG"^ is not the true message m, but instead some other 
binary string m'. Since C can correct t errors, by definition it must have distance greater 
than 2t, meaning that the number of components in which any two codewords differ is 
greater than 2t. So the codewords corresponding to m and m' must differ in more than 
2t components. That is, 

w{mG ®m'G) > 2t. 

Note that mG — c® e so we have 

w{c®e®cG~'^G) > 2t 

and since w{e) < t, 

w{c®cG-^G) > t 

and the proposition is proven. CH 

Thus the attacker has a method to easily determine when the attack has succeeded: 
she can exhaustively search all sets of components until the correct one is found and 
the message is recovered. The attack clearly requires time exponential in k. In [LB89], 
improvements and generalisations are suggested that improve the running time of the 
attack, although only by a polynomial factor. 

It is interesting to note that this approach will decode any code, not just one of the 
special form used in the McEliece cryptosystcm; in other words, this attack solves the 
general decoding problem. However, as mentioned above, the general decoding problem 
is known to be NP-complete [BMvT78]. It is possible that if a polynomial-time attack 
is desired, the special form of a McEhece code will have to be exploited by the attacker. 
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In [Hei87] it is shown that determining the plaintext from the ciphertext is polyno- 
mially equivalent to determining the Hamming weight of the plaintext. This and other 
facts are then used to develop and propose partial attacks on the McEliece cryptosystem 
and its variants. The attacks are shown to be generally unsuccessful against the original 
cryptosystem, but empirical evidence mentioned in [Hei87] suggests these attacks may be 
successful against some variants of the cryptosystem, such as schemes that use a different 
class of error correcting codes in the same general way. 

Unlike the first cryptosystems we discussed, it is not clear that there is a way to 
efficiently break the McEliece cryptosystem using a quantum computer. None of the 
algorithms presented in Chapter 3 seem to give a quantum attacker any advantage over a 
classical one. The hard problem on which the idea for the cryptosystem is based, namely 
the decoding of an arbitrary linear code, does not seem to fit well into the Hidden 
Subgroup Problem framework, and so it is unlikely that any of the algorithms we have 
discussed will be helpful to the attacker in developing a polynomial-time attack on the 
scheme. 

However, we could use a different quantum algorithm to speed up the best known 
classical attack (by a polynomial factor). The quantum algorithm proposed in [Gro96] 
(sometimes called Grover's algorithm) allows us to improve the performance of searching 
algorithms. Specifically, given a number of possible solutions to a problem, only some of 
which are correct, the algorithm allows us to find a correct solution more efficiently with 
a quantum computer than we can classically. This type of search is often referred to as 
a "needle in a haystack" problem since typically there are many incorrect solutions and 
only a few correct ones. For a description of Grover's algorithm, see for example [Gro96] 
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or [NCOO]. 

Suppose we have a set of n elements indexed by the set of integers 5* = {0, 1, . . . , n—1}. 
Further suppose that we are given a function /: 5" — > {0, 1} such that: 

1. /(x) = 1 if x is the index of an element which is a solution to the problem, and 

2. f{x)=0 otherwise. 

The search succeeds when it finds an x such that f{x) = l. If there is a constant number 
of such X, then the best classical searching algorithm (brute force search) requires 0{ri) 
time. However, Grover's quantum search algorithm requires only 0{\/n) time, which is 
a considerable improvement (although just a polynomial one). 

In the case of the attack on the McEliece cryptosystem mentioned above, our set of 
elements is the set of all /c-subsets of the components of the codeword. For any particular 
subset A, according to Proposition 7.10, f{A) should be 1 if and only if w{c®cG~^G) < t. 
This condition provides us with an efficient way of evaluating /. 

Using Grover's algorithm, then, we can achieve a square-root speedup over the clas- 
sical version of the search algorithm. While this still represents only a polynomial im- 
provement in the running time, such an improvement could pose a significant security 
threat for many of the McEhece parameter sizes that are currently thought of as secure. 



Chapter 8 

The Ajtai-Dwork Cryptosystem 



The Ajtai-Dwork cryptosystem [AD97] was one of the first proposed cryptosystems whose 
security was based on the hardness of problems involving lattices. This cryptosystem 
is currently not of practical interest since messages are encrypted bit-by- bit, and the 
ciphertext is very long compared to the plaintext; also recent attacks by Nguyen and 
Stern [NS98] have shown that the scheme with small parameters is insecure. Nonetheless, 
the cryptosystem has received a good deal of theoretical interest, especially since a proof 
of its security in [AD97] was based on worst-case instead of average-case analysis. 

Since the proposal of the Ajtai-Dwork scheme, there have been other proposals for 
cryptosystems based on lattices, some of which we will discuss later. There has been much 
recent interest in these "lattice-based" cryptosystems, perhaps because their security 
is based on problems that are fundamentally different from integer factorisation and 
computing discrete logarithms, and because the encryption and decryption rates for 
several of the schemes are asymptotically faster than those for the more widely-used 
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cry ptosy stems. For an excellent overview of the many uses of lattices in cryptography 

and cryptanalysis, including simple descriptions of many of these schemes, we refer the 
reader to [NSOO]. 

8.1 The Cryptosystem 

The details of the cryptosystem are quite complicated; so we present the general idea of 
the scheme and refer the reader to [AD97] for a more rigorous presentation. We begin 
with a few definitions. 

Definition 8.1. Let Wi, . . . , w„ G M". The parallelepiped W spanned by the Wi is defined 
as \wi : < Aj < 1}. In other words, W is the set of all points that are a linear 

combination of the Wi with coefficients between and 1 . 

Definition 8.2. Let Wi, . . . ,Wn E M" and let W be the parallelepiped spanned by the Wi. 
Let Hi be the {n — 1)- dimensional hyperplane spanned by the set {wj : 1 < j < n, j ^ i}. 
The width of W is defined as the maximum of the perpendicular distances between Wi and 
Hi for 1 <i <n. 

To generate Ajtai-Dwork keys, Alice performs the following steps: 

Algorithm 8.3 (Ajtai-Dwork Key Generation (sketch)). 

1. Alice selects a vector u "uniformly at random" from the n-dimensional unit ball. 
(Note that she actually selects u from a large discrete set of vectors in the unit ball, 
as described in [AD97] .) 
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2. According to the procedure in [AD97] she defines a distribution 7Y„ of points in the 

n-dimensional ball of radius 2"^°^" such that for each point h in the distribution, 
the inner product {h , u) is very close to an integer. 

3. She sets m — and selects the m + n points vi, . . . , Vm, wi, . . .Wn uniformly at 
random from the distribution 7Y„ defined above. 

4. She verifies that the width of the parallelepiped spanned by wi, . . . , i/;„ is at least 
2niogn^^2 (^^vy^ith high probability this is true; otherwise, she begins the procedure 
again.) 

5. Alice's public key is {vi, . . . , Vm, wi, . . . , Wn) and her private key is u. 

To encrypt a message for Alice, Bob does the following: 

Algorithm 8.4 (Ajtai-Dwork Encryption). 

1. Bob obtains Alice's public key {vi, . . . ,Vm,Wi, . . . , Wn). Let W be the parallelepiped 
spanned by the Wi. 

2. He encrypts each bit z of the message as follows: 

2.1 If z = then 

Bob chooses m values oi, . . . , uniformly at random from {0, 1} and 
computes the linear combination x = Yl^i '^i'^i- 

He reduces x "modulo 1^" , meaning he computes the unique vector c in 
W such that x — c is an integer linear combination of the Wj. 
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2.2 If z = 1 then 

Letting 2~'^Z" = {2~^v : v e Z**}, Bob selects a vector c "uniformly at 
random" from W n 2-"Z". 

3. In either case, the encrypted message is the vector c. 



Each bit of the plaintext is essentially encoded as a decision problem: to decrypt the 
ciphertext c, Alice (or an attacker) must decide whether c is a linear combination of the 
Vi (suitably reduced) or a random vector. More specifically, Alice can do the following: 

Algorithm 8.5 (Ajtai-Dwork Decryption). 

1. Alice computes {c , u) = z + 6, where z and —1/2 < 6 < 1/2. 

2. If 1^1 < 1/n then c is decrypted as 0; otherwise it is decrypted as 1. 

In other words, if the inner product of the ciphertext and the private key is very close to 
an integer, Alice decrypts the ciphertext as 0. 

Theorem 8.6. Ajtai-Dwork decryption works properly (with high probability). 

For a complete proof of this result, refer to [AD97]. 

Sketch of Proof. First, we justify that if the original message bit was 0, it is always de- 
crypted correctly. Using the encryption procedure. Bob selects random Oj and computes 
X — YllLi O'i'^i- When he reduces x modulo W , he obtains the unique vector c such that 
X — c — w, where w = bjWj and the bj are integers. 
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Note that 



(c, u) = {x — w , u) 



{x , u) — {w , u) 



n 




n 




Since Alice chose the Vi from the distribution specifically so that their inner 
product with u was very close to an integer, we note that {vi , u) is "close to" an integer 
for 1 < i < m. The Wj are also chosen from Tiu, so {wj , u) is "close to" an integer for 
i ^ j ^ n. Finally, since the coefficients Oj and bj are all integers, the inner product 

( c , u) is "close to" an integer. 

With sufficient restrictions on the distribution Hu, the authors of [AD97] formahse 
this intuitive argument and show that indeed this inner product is always within 1/n of 
an integer. Hence if a is sent, Alice always correctly recovers the plaintext. 

We now consider the case where the original message bit was 1. In this case. Bob 
randomly selects a vector c from W fl 2~"'Z"', so it is possible that the inner product 
of c with u could be close to an integer. As a result, there is a small probability that 
a 1 could be decrypted incorrectly as a 0. However, in Step 4 of Algorithm 8.3 the 
parallelepiped W was chosen to be wide enough that this event occurs with probability 
at most 1/n [AD97]. Thus, when a 1 is sent, decryption works properly with probability 
at least 1 — 1/n. D 
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8.2 Security Of The System 



It is interesting to note that despite its classification as a lattice-based cryptosystem, the 
Ajtai-Dwork scheme does not explicitly use lattices to encrypt or decrypt data. However, 
it is usually considered to be a lattice-based cryptosystem because in [AD97] its security 
was shown to be based on the worst-case hardness of a problem in lattice reduction. 
Before introducing this problem, we first present some basic definitions relating to lattices. 

Definition 8.7. Let B = {bi,b2, ■ ■ ■ ,bd} be a set of d linearly independent vectors in 
MT'. The lattice spanned by B is the set of all possible integer linear combinations of the 
vectors in B, denoted 



B is called a basis for the lattice L{B). We say L{B) has dimension d. 

Note that there are several possible bases for any given lattice. For example, given a 
basis for a lattice L, if we take any basis vector and add to it an integer linear combination 
of the other basis vectors, we obtain a different basis for the same lattice. 

Definition 8.8. Let L be a lattice in M". The length of the shortest non-zero vector in 
L (with respect to the Euclidean norm) is called the first minimum of the lattice, and 
denoted \i{L). 

Definition 8.9. Let L be a d-dimensional lattice in IR". For 1 <i < d, the i^^ successive 

minimum of the lattice, denoted \i{L), is the smallest real number a such that there exist 
i linearly independent vectors in L whose norms are at most a. In other words. 





and lin.indep. 



mm < max 

xi,...,Xi€L I l<j<i 
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Definition 8.10. Let L be a lattice in R". The lattice gap of L is defined as the ratio 

between the second and first successive minima, \2{L)/\i{L). 

There are several problems that are thought to be hard problems in lattice theory; 
we mention two of the best-known such problems. 

Problem 8.11 (The Shortest Vector Problem (SVP)). Given a lattice L of dimen- 
sion d in M"; find a vector v & L such that \\v\\ — Ai(L). 

There is no known polynomial time algorithm to solve SVP, or to approximate it to 
within a polynomial factor. The problem has been shown to be NP-hard under ran- 
domised reductions; that is, there is a probabilistic polynomial-time algorithm to reduce 
an instance of any problem in NP to an instance of SVP [Ajt98]. In fact, approximating 
the problem to within a factor of ^/2 is NP-hard under randomised reductions [NSOO]. 
An important contrasting complexity result has been proven as well: approximating SVP 
to within a factor of ^/d/0{log d) is not NP-hard unless P = NP [GG98]. Despite all 
of these results, it has not been proved or disproved that SVP is NP-hard under deter- 
ministic reductions, and its NP-hardness is an important open question in lattice theory. 
The best known classical algorithms to approximate SVP are based on the LLL algo- 
rithm [LLL82] and its variants, which can approximate the solution to within a factor of 
2(^-i)/2. In practice, the algorithm tends to outperform this theoretical bound. 

Problem 8.12 (The Closest Vector Problem (CVP)). Given a lattice L of dimen- 
sion d in R" and a vector u , find a vector v & L such that \\u — v\\ is minimised. 

As mentioned in [NSOO], this problem is known to be NP-hard; in fact, approximating 
the problem to within any constant factor is NP-hard, and there is no known polynomial- 
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time algorithm that can approximate CVP to within a polynomial factor of d. It is at 
least as hard as SVP (since SVP is a special case of CVP where the given vector is 
u — 0) and similarly approximating CVP to within a factor of ^/d/0{\og d) is not NP- 
hard unless P = NP [GG98]. There are algorithms that can approximate CVP in 
to within a factor of 2*^/^ in the worst case; these algorithms are also based on the LLL 
algorithm and its variants, and as mentioned previously they tend to outperform this 
theoretical bound. 

The hardness of the Ajtai-Dwork scheme is not based on either of these problems 
exactly, but rather on a variant of SVP: 

Problem 8.13 (The Unique Shortest Vector Problem (USVP)). Given a lattice 
L of dimension d in with lattice gap X2{L)/Xi{L) > n^, find a vector v & L such that 
lkll = Ai(L). 

The name for this new problem comes from the fact that the shortest vector in 
a lattice with such a gap is "unique" , in that it is polynomially shorter than any other 
non-parallel vector in the lattice. In [AD97] the following equivalence between USVP and 
the Ajtai-Dwork cryptosystem is established: if for random instances of the cryptosystem 
there exists a probabilistic polynomial-time algorithm that is capable of distinguishing an 
encryption of from an encryption of 1, then there exists a probabilistic polynomial-time 
algorithm to solve a worst-case instance of USVP. 

Despite this promising result, Nguyen and Stern have proven that one can construct 
a probabilistic decryption algorithm for the Ajtai-Dwork cryptosystem, given an oracle 
capable of approximating CVP to within a factor of n^-^^ (or equivalently an oracle 
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capable of approximating SVP to within a factor of [NS98]. Thus as pointed out 

in [NSOO], since approximating CVP to within such a factor is not NP-hard [GG98] it is 
hkely that breaking the Ajtai-Dwork cryptosystem is not NP-hard. 

The result of Nguyen and Stern suggests that attacks on the system should be possible, 
and indeed [NS98] presents a heuristic attack on the scheme based on lattice reduction 
algorithms. The attack is based on the fact that for each Vi, {vi, u) is close to some 
(unknown) integer, and by finding short linear combinations of the Vi, one can obtain 
information about these unknown integers, which in turn reveals information about the 
private key u. The implementation of the attack uses lattice reduction algorithms like 
the LLL algorithm. 

For n = 8, their experiments were able to recover the private key in under three hours, 
and for n — 32, the authors predicted that the attack would succeed in several days, if 
computations were done on several machines in parallel. Further, since for n = 32 storing 
the public key requires approximately 20 Megabytes and the ciphertext for each message 
bit is 768 bytes long, the scheme is impractical. 

With a classical attack like this one already known, the question of the scheme's 
quantum vulnerabilities becomes a question of purely theoretical interest. There has been 
little work done in applying quantum algorithms to these well-known lattice problems. 
Some preliminary results were proven in [ME97] , but they do not seem to provide much 
advantage in this case. More recently, in [Reg02] it was shown that USVP can be reduced 
to the Hidden Subgroup Problem (HSP) in the dihedral group. However, while some work 
has been done on solving HSP in the dihedral group [EyOO] there is still no known efficient 
quantum algorithm to solve it completely. The quantum tools from Chapter 3 which solve 
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the Abelian HSP do not seem to be of much use to a quantum attacker. 

Grover's algorithm, introduced briefly in Chapter 7, does not have a clear application 
in this context, either. The best known attacks on the system all rely on the LLL 
algorithm, which does not seem well-suited to being sped up with Grover's algorithm. 

If quantum algorithms can provide a quantum attacker with an advantage over a 
classical one, it is likely that new algorithms will have to be developed. The problems in 
lattice theory form one class of hard problems for which the known quantum algorithms 
cannot significantly outperform the known classical algorithms. It is possible that lattice- 
based cryptosystems (that resist classical attacks more successfully than the Ajtai-Dwork 
system) may be cryptosystems that are also resistant to quantum attacks. 



Chapter 9 

The Goldreich-Goldwasser-Halevi 
Cryptosystem 

Like the Ajtai-Dwork cryptosystem, the Goldreich-Goldwasser-Halevi (GGH) cryptosys- 
tem [GGH97] is based on the hardness of problems in lattice reduction. We can choose 
many different bases to represent the same lattice, and using a different basis can make 
it much more difficult to solve particular instances of these problems. It is this fact on 
which the GGH cryptosystem is based. 

The GGH algorithms for encryption and decryption are more efficient than the cor- 
responding algorithms in the more popular RSA and ElGamal schemes; however, the 
increased efficiency of encryption and decryption is offset by the fact that GGH pubhc 
keys are considerably longer. 

Recently, an attack has been discovered that successfully breaks the cryptosystem 
for most practical parameter sizes [Ngu99]. Despite the resulting impracticality of the 
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scheme, it is still an important cryptosystem from a theoretical point of view, since along 
with the Ajtai-Dwork scheme, it was one of the first lattice-based cryptosystems. 

9.1 The Cryptosystem 

We begin by presenting some more definitions that are important to the study of lattice 
theory. 

Definition 9.1. Let B be a n x n non-singular matrix with real entries, and let L be the 

n- dimensional lattice in with the rows of B as a basis. The determinant of the lattice 
L is defined to be the determinant of the matrix B. 

Note that the determinant of the lattice is independent of the choice of basis. We 
also define the orthogonality defect of a lattice basis, which is a quantity that represents 
how "non-orthogonal" the basis vectors are. 

Definition 9.2. Let bi, 62, ■ ■ ■ , &n be a basis for an n-dimensional lattice L in , and 
let B be the n x n non-singular matrix with the b^ as its rows. The orthogonality defect 
of the basis ( or equivalently of the matrix B) is defined as 

\detB\ 

where \\-\\ represents the Euclidean norm. 

By Hadamard's Inequality [Coh93] we know that |deti3| < Y[i=i W^iW with equality 
if and only if the bi are orthogonal. Thus a matrix B has orthogonality defect 1 if and 
only if its rows are orthogonal to one another, and otherwise, its orthogonahty defect is 
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greater than 1. In other words, the smaller the orthogonality defect, the more orthogonal 
the rows of B. 

In general, it is easier to solve most lattice problems (hke SVP and CVP) if we have 
a basis with vectors that are more orthogonal. The idea of the GGH cryptosystem is 
that the public key consists of a basis with high orthogonality defect that Bob uses to 
encode a message in an instance of CVP, and the private key consists of a basis with 
low orthogonality defect that Alice uses to solve the instance of CVP and recover the 
message. 

We now present the cryptosystem; for more details, refer to [GGH97]. 
To generate a GGH key, Ahce does the following: 
Algorithm 9.3 (GGH Key Generation). 

1. Using a procedure described in [GGH97], Alice generates a full-rank lattice L, and 
two matrices TZ and B whose rows form bases for L. The generation procedure 
ensures that B has high orthogonality defect, and TZ has low orthogonality defect. 

2. She also selects a positive integer cr, as described in [GGH97], which acts as a 
security parameter. 

3. Her public key is {B, a) and her private key is TZ. 



To encrypt a message for Alice using the GGH cryptosystem. Bob does the following: 
Algorithm 9.4 (GGH Encryption). 



1. Bob obtains Alice's public key {B, a). 
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2. Bob represents his message as a vector m e Z". 

3. He generates an error vector e by setting each entry in e to either a or —a, each 
with probabihty 1/2. 

4. He computes the ciphertext c = mB + e. 



The error vector e disguises the message m from an attacker; however, it is designed 
to be small enough that m is still the closest vector in the lattice to c. Ideally, the public 
basis is not "orthogonal enough" to allow an attacker to find that closest vector, but 
Ahce can use her private, more orthogonal basis to find it. More specifically, to decrypt 
the ciphertext, Alice does the following: 

Algorithm 9.5 (GGH Decryption). 

1. Alice represents c as a linear combination of the vectors in TZ, where the coefficients 
are not necessarily integers. 

2. She rounds off each coefficient in the linear combination to the nearest integer and 
obtains a lattice vector v. 

3. She represents v as a linear combination of the columns of B. 

4. With high probability, the coefficients of this linear combination are the entries in 
the message vector m. 



We note that it is possible for the decryption procedure to fail, since the rounding 
off technique (which was proposed by Babai in [Bab86]) may not result in the correct 
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lattice point. However, the authors of [GGH97] show that by selecting the parameter a 

properly, Alice can ensure that decryption works with high probability. It is also true 
that when decryption fails, Alice can detect that it has failed. For more details about 
these facts, see [GGH97]. 

Note that despite the fact that they are based on the hardness of different problems, 
the GGH cryptosystem and the McEliece cryptosystem (described in Chapter 7) are quite 
similar. In the GGH scheme, the public and private keys are different representations of 
the same lattice, and in the McEliece scheme, the pubhc and private keys are different 
representations of the same linear code. In both cases, encrypting a message corresponds 
to performing a transformation involving the public key representation and adding a 
random error vector in such a way that it can easily be removed only with knowledge of 
the private key representation. 



9.2 Security Of The System 

First consider the task of determining the plaintext given only the ciphertext. Correctly 
performing this task amounts to solving an instance of CVP: the eavesdropper, given 
only c = mB + e needs to first find mB, which (assuming a is not too large) is the vector 
in the lattice closest to c. As mentioned previously, there is no known polynomial time 
algorithm to solve CVP exactly, or to approximate it to within a polynomial factor. 

Next note that by construction the public basis B has high orthogonality defect and 
the private basis TZ has low orthogonahty defect. Thus in order to determine the pri- 
vate key given only the public key, an eavesdropper would need to solve (or at least 
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approximate a solution to) a different problem that is also thought to be hard: 

Problem 9.6 (The Smallest Basis Problem (SBP)). Given a basis B for a lattice 
L in ]R"; find the "smallest" basis B' for L. 

There are many ways that the "smallest" basis of a lattice could be defined (although 
in this case we consider the basis with the smallest orthogonality defect). As with the 
other lattice problems defined previously, there are no known polynomial-time algorithms 
to solve SBP or to approximate it to within a polynomial factor, although there are 
algorithms based on the LLL algorithm and its variants that can approximate SBP in 
M" to within a factor of 2'^(" ) in the worst case. 

Originally the authors of the cryptosystem suggested three classical attacks on the 
system, each of which is shown to require an infeasible amount of work in sufficiently 
high dimension. We briefly mention these attacks, and refer the reader to [GGH97] for 
more details. All of the attacks assume that the public basis B has been reduced to a 
new basis B' (with smaller orthogonality defect) using the LLL algorithm or one of its 
variants, since this is a logical first step for any solution to the problems on which the 
cryptosystem is based. 

In the first attack. Eve uses the reduced basis B' to perform the same rounding off 
technique as Alice uses in the decryption procedure with the private basis TZ. The vector 
Eve obtains will be an approximation to the correct message vector, and can be used as a 
starting point for an exhaustive search for the message. According to experiments cited 
in [GGH97], in dimensions up to 80 this attack works well since the LLL algorithm tends 
to perform very well in practice, but in higher dimensions the attack quickly becomes 
infeasible since a measure of the work required grows exponentially with the dimension. 
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The second attack also involves using the reduced basis B' to approximate CVP, but 
using Babai's ''nearest plane" algorithm (a better approximation algorithm also proposed 
in [Bab86]). Essentially, whereas the rounding off algorithm rounds off all of the coeffi- 
cients of the resulting vector at the same time, the nearest plane algorithm rounds them 
off one by one in a more adaptive way. Again according to the experiments performed by 
the authors of [GGH97] the attack is much more successful than the rounding off attack 
and is generally successful in dimensions up to 120, but again in higher dimensions the 
work required grows exponentially. 

To perform the third attack, for a particular ciphertext c = mB + e Eve creates a new 
lattice L' of dimension n + 1 as specified by the rows of the matrix 



The vector v = e||(l) (where the operator || indicates vector concatenation) is a short 
vector in L', and in fact, as explained in [Ngu99] it is likely that it will be the shortest 
vector in L'. Thus if we attempt to solve SVP in L' using the LLL algorithm or one 
of its variants, we hope that we will find the vector v, from which we can recover m. 
(Note that this attack is a general approach to solving CVP by "embedding" an instance 
of CVP in an instance of SVP.) Unlike in the first two attacks, if this heuristic fails to 
recover the correct message, it is not clear whether the incorrect message can be used as 
a starting point for an exhaustive search. Nonetheless, the attack seems to be fast and 
successful in dimensions up to about 120. 




'n 
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Based on their experiments, the authors of [GGH97] conjectured that the problem 
of breaking the cryptosystem was intractable in dimension 300 or higher. However, 
in [Ngu99] the author presents a different attack that exploits some weaknesses in the 
encryption scheme and does break it in higher dimensions. Recall that c = mB + e where 
e is a vector with each entry equal to icr. Defining s = {a, . . . ,a) G Z" we see that 
e + s = (mod 2a) and hence c + s = mB (mod 2a). It is further shown in [Ngu99] 
that this modular equation has very few solutions with high probability, and it is not 
hard to compute all of them. So we can easily determine m mod 2a. With this partial 
information, we can simplify the CVP instance defined by a ciphertext and obtain a 
new CVP instance where the error vector is much shorter than e. Then by applying the 
embedding technique (or some other algorithm for CVP) we are more likely to be able 
to recover the original message. As predicted, experiments cited in [Ngu99] indicate that 
this attack can break the scheme in dimensions up to about 400. In dimensions higher 
than 400, the parameters become so large as to make the scheme practically infeasible. 

As with the Ajtai-Dwork cryptosystem presented in Chapter 8, quantum attacks on 
the GGH cryptosystem are only theoretically interesting, since there are effective classical 
attacks against the scheme. Again, however, there seem to be very few known quantum 
algorithms that could assist an attacker further. The Abelian Hidden Subgroup Problem 
(HSP) framework does not seem useful, nor does Grover's searching algorithm. The 
reduction in [Reg02] is interesting in this context, although it is not currently useful 
to a quantum attacker since we know of no efficient algorithm to solve HSP in the 
dihedral group. Again, the current evidence suggests that lattice-based cryptosystems 
could perhaps be systems that resist quantum attacks as well as they do classical ones. 



Chapter 10 

The NTRU Cryptosystem 



The NTRU cryptosystem [HPS98] is a relatively new cryptosystem that uses polynomial 
arithmetic for encryption and decryption. One of the most efficient known classical 
attacks on the cryptosystem is based on a problem in lattice reduction. Because of this 
attack, the scheme is often referred to as a "lattice-based" cryptosystem, even though 
the description of the system does not rely on lattices. 

The cryptosystem has the interesting property that there exist valid ciphertexts that 
cannot be decrypted properly using the private key. For this reason, many of the se- 
curity properties that can be proven for traditional public key encryption schemes do 
not hold for the NTRU cryptosystem. In [Pro03] a new class of encryption schemes is 
defined called imperfect public key encryption schemes, which allow for the possibility of 
such "indecipherable" ciphertexts. The paper also presents a new attack on the scheme 
that attempts to recover the private key by searching for indecipherable ciphertexts. In 
experiments, this attack has been successful against the system parameter sets originally 
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suggested in [HPS98]. 

10.1 The Cryptosystem 

We work in the ring — 1) for some integer N. We first define a notation for 

classes of polynomials in this ring: 

Definition 10.1. The set jC{di,d2) is the set of polynomials in 'Z[x]/{x^ — 1) with di 
coefficients equal to 1, ^2 coefficients equal to —1, and the remaining coefficients equal 
to 0. 

To generate an NTRU key, Ahce performs the following steps: 
Algorithm 10.2 (NTRU Key Generation). 

1. Alice selects two coprime integers p and q with q considerably larger than p, and 
an integer N . She also selects integers d/, dg, and dj. considerably smaller than N . 
(These parameters may be chosen to provide the desired level of security for the 
cryptosystem as described in [HPS98].) 

2. She randomly selects two polynomials F G >C((i/, df — 1) and G G C{dg, dg). 

3. She computes the polynomials and F~^, the inverses of F modulo p and modulo 
q, respectively. That is, FF~^ — 1 (when the coefficients are taken modulo p) and 
FF~^ — 1 (when the coefficients are taken modulo q). (Such inverses will exist 
with high probability; if they do not, she begins the procedure again.) 

4. Alice calculates H — F~^G mod q. 
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5. Alice's public key is (p, g, N, dr, H), and her private key is F. 
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To encrypt a message for Alice using the NTRU cryptosystem, Bob performs the 
following steps: 

Algorithm 10.3 (NTRU Encryption). 

1. Bob obtains Alice's public key 

2. He converts the message to a polynomial M G Z[a;]/(a;^ — 1) with coefficients in 
the range 

3. He selects a random polynomial R e C{dr, dr). 

4. Bob computes the encrypted message C — {pRH + M) mod q. 

To decrypt the ciphertext and recover the original message, Alice does the following: 

Algorithm 10.4 (NTRU Decryption). 

1. She computes the polynomial A — FC mod g, choosing the coefficients of A to be 
integers in the interval [ — |, | ] ■ 

2. She computes M' = F~'^A mod p. 

3. With high probabihty, M' is the original message. 



Theorem 10.5. NTRU decryption works properly (with high probability). 
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Justification. As mentioned above, there exist certain ciphertexts that cannot be prop- 
erly decrypted using the private key. Although not proven rigorously, there is heuristic 
evidence that such indecipherable ciphertexts occur rarely, as demonstrated in [SilOl] 
and [Sil02]. 

Note that 

A = FC mod q 

= {FpRH + FM) modq 
= (FpRF-^G + FM) mod q 
= (pRG + FM) mod q. 

Suppose the coefficients of the polynomial A—{p RG + FM) mod q computed by Al- 
ice happen to be exactly the same as those of the unreduced polynomial B = p RG+FM. 
In that case, the decryption algorithm will work properly, since reducing A modulo p pro- 
duces the polynomial FM, and multiplying by F~^ correctly recovers M. In other words, 
we wish to show that we can choose parameters for the system so that the polynomial 
A computed by Alice is exactly equal to the polynomial B in Z[x]/{x^ — 1). Since Alice 
computes A choosing its coefficients to lie in the interval [ — |, | ] , it is sufficient to ensure 
that with high probability the coefficients of B lie in the same interval. 

In [SilOl] the ways in which this sufficient condition may not be met are classified 
into two categories: 

1. "Wrapping failure" is said to occur if the maximum coefficient of B is greater than 
or equal to g/2, or if the minimum coefficient of B is less than or equal to —q/2. In 
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this case, when Ahce chooses the coefficients of A to be in the interval [ — f ] ' 
will not obtain B. and hence she will obtain the incorrect decrypted message. (To 
allow her to detect such a failure, the authors of [HPS98] suggest including some 
kind of redundancy in the message so that its proper decryption can be verified.) 

2. "Gap failure" is said to occur if the difference between the maximum and minimum 
coefficients of B (called the "spread" of B [SilOl]) is greater than q. In this case, 
when Alice chooses the coefficients of A to be in any interval of width q, she will 
not obtain B, and hence she will obtain the incorrect decrypted message. 

For a particular parameter set, the probability of wrapping or gap failure can be 
estimated by performing many encryptions of random messages and calculating the pro- 
portion of them that exhibit each type of failure when decryption is attempted. This 
is the strategy employed in [SilOl] and for the parameter sets suggested in that paper 
the estimates for the failure probabilities are indeed low (on the order of 10~^ to 10~^ 
for wrapping failure and 10~^ to 10~^^ for gap failure). It should be noted that these 
are empirical estimates, and that the gap failure probabilities in [SilOl] were calculated 
using an approximation formula (whose correctness is justified further in [Sil02]) since 
the chance of actually observing an instance of gap failure is so small. 

This evidence indicates that indeed NTRU decryption tends to work properly in 
practice. D 

It should be noted, however, that while the probability of obtaining one of these 
indecipherable ciphertexts may indeed be small, an attacker can use one of them to 
obtain information about the corresponding private key [Pro03]. 
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10.2 Security Of The System 



NTRU is usually considered to be a lattice-based cryptosystem; despite the fact that 
lattices are not used in the encryption or decryption algorithms, one of the most efficient 
known classical attacks on the cryptosystem is based on finding short vectors in a lattice. 
We present the attack briefly below, as it is presented in [HPS98]. 

Recall that Ahce's pubhc key is (p, g, A^, dr, H). Let the coefficients of H be given by 
/lo, hi, ... , hjsf-i so that H — ^fjo^ hix\ We deflne the following 2N x 2N matrix, where 
q; is a parameter chosen by the attacker: 



a 


•• 


• 


ho 


h ■■ 







a ■ ■ 
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hN-i 


ho ■ ■ 


• hN-2 





•• 


• a 
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h2 ■ ■ 


ho 





•• 
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•• 








•• 


• 





q ■■ 








•• 


• 





•• 


Q 



\ 



Let the rows of B be bo, bi, . . . b2N-\- Recall that H = F^^G mod q, so G = HF mod q. 
In other words, there exists some polynomial K e Z[x]/{x^-l) such that G = HF+qK. 
Let the coefficients of F be /o, /i, . . . , Jn-i and the coefficients oi K he kg, ki, . . . , k^-i; 
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these coefficients are all integers. Then note that 



fobo + fih H h /at-i&at-i + kobN + hbN+i H h kN-ib2N-i 



{aF)\\{HF + qK) 



{aF)\\G 



where the operator 1 1 indicates vector concatenation. In other words, if we let L be the 
lattice spanned by the rows of B, we see that the vector r = (ct-F) 1 1 G is in L. The goal 
of the attacker will be to choose a so that r is a short vector in the lattice L and to 
attempt to find it using lattice reduction techniques like the LLL algorithm [LLL82] and 
its variants. 

In [HPS98] the authors next make use of the Gaussian heuristic, which does not 
seem to be well-known, but which bounds the expected length of the shortest vector 
in a "random" lattice of dimension d. The heuristic says that a sphere that contains a 
lattice point at its centre and exactly one other lattice point is expected to have a volume 
equal to the determinant D of the lattice; the radius of such a sphere clearly provides 
an upper bound on the shortest vector in the lattice [Why03]. Specifically, the heuristic 
says that the expected length of the shortest vector in a random lattice of dimension d 



In our case, the determinant of L is equal to det B — a^q^; we also have d — 2N. 
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Thus the expected length of the shortest vector in L should be close to 



.1/2 



" 7re 




Naq 



7re 



In order for the lattice reduction algorithms to have the greatest chance of finding the 
vector T, the attacker would like to maximise the probability that it is one of the shortest 
vectors in the lattice. This will be likely if r is considerably shorter than this expected 
length of the shortest vector. In other words, the attacker should choose a to maximise 
the ratio s/ ||t||. Note that ||t|| = ^ o? + HCH^, where the norm of a polynomial is 
taken to mean the norm of the vector of its coefficients. Thus, 



9^ ^- 10.1 

Since A^", tt, and e are all fixed, the attacker should attempt to maximise 

^ = (a + oT^ \\Gt)-^. 

o?\\F\f^\\Gf ^ " " " " ^ 

Differentiating the expression with respect to a and setting it equal to zero, we see that 
it is maximised when a — j \^F\. We assume that the attacker has knowledge of 
||F|| and ||G|| (or equivalently of df and dg) which is not an unrealistic assumption since 
the values oi dj and dg are specified in the sets of suggested system parameters listed 
in [HPS98]. The attacker can therefore compute this optimal value for a, and proceed to 
use the LLL algorithm to find short vectors in L (as described for example in [Coh93]). 
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In [HPS98] this optimal value for a is substituted back into Equation (10.1) to obtain 

the constant 



It is noted that this c can be used as a measure of the "randomness" of the lattice defined 
by B. If c is close to 1, the vector r is not considerably larger than the expected length 
of the shortest vector in a random lattice, and so in that sense, L is fairly "random" and 
typical reduction algorithms should work less effectively than when c is larger. 

Based on limited evidence, it would appear as though the time required for this attack 
is still exponential in N, with a constant in the exponent proportional to 1/c [HPS98]. 
In [May99] a modification of this attack was proposed that requires a lattice of smaller 
dimension, and as a result the attack runs more quickly. The new attack is especially 
successful against certain classes of keys, even when using parameters of a size that were 
originally thought to provide high security. These classes of keys should therefore be 
avoided. 

The imperfection of the decryption algorithm has recently been shown to be a serious 
weakness of the scheme. The attack proposed in [Pro03] is effective against the parameter 
sets proposed in [HPS98] provided that the attacker has access to an oracle that given 
a ciphertext returns only whether the ciphertext could be properly decrypted using the 
corresponding private key. It is therefore desirable to choose parameter sets that minimise 
the probability of obtaining such an indecipherable ciphertext, or in other words, to 
minimise the probability of wrapping failure and gap failure. 

Another strategy to avoid such an attack is to perform further processing on inde- 
cipherable ciphertexts in an attempt to recover the correct plaintext. Examples of this 
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further processing are suggested in [SilOl]. If wrapping failure occurs, Alice may re- 
calculate the polynomial A with coefficients in the interval [— | + x, | + for various 
(positive and negative) values of x and try again. Provided gap failure has not occurred, 
this correction mechanism will likely succeed for some small value of x, and Alice will 
be able to recover the correct plaintext. Correction for gap failure is more difficult than 
for wrapping failure, since in order to obtain B Alice would have to move some of the 
coefficients of A outside the interval [ — fj f] again. Since the set of coefficients 

that need to be moved is unknown, this correction method is much less feasible. 

However, in both of these cases, as noted in [Pro03], the attacker may still be able 
to use timing and power analysis to determine when further processing is required, and 
hence when a ciphertext was not decipherable using the standard decryption algorithm. 
In that case, the attack could still be ultimately successful. 

It is unclear whether the system is more vulnerable in a quantum setting; the algo- 
rithms from Chapter 3 do not seem to provide the quantum attacker with any useful 
tools. As discussed with respect to some of the previous schemes, it may be possible to 
use Grover's algorithm to speed up the known classical attacks (or parts of them). In 
the case of the first attack, such an improvement is not immediately obvious since the 
majority of the running time is spent in the LLL algorithm (which as we have mentioned 
previously is not easily improved upon with quantum resources) . In the case of the sec- 
ond attack, such an improvement might be more feasible since the initial search for an 
indecipherable ciphertext could possibly be sped up by a square root factor. Other steps 
of the second attack, such as modifying the first indecipherable ciphertext to find another 
one which is "nearly decipherable" , might also run faster using Grover's algorithm. 



Chapter 11 



A Quantum Public Key 
Cryptosystem 



All of the cryptosystems presented so far have been classical cryptosystems, in that 
they use only classical operations in all of the key generation, encryption, and decryption 
algorithms. If we wish to find cryptosystems that resist attacks with a quantum computer, 
however, it seems natural to also allow the use of quantum operations in any of the 
three algorithms. The cryptosystem presented in [OTUOO] and summarised below uses 
some quantum operations to generate keys, and then uses purely classical algorithms to 
encrypt and decrypt messages. We will refer to this scheme as the Quantum Pubhc Key 
cryptosystem (QPKC). 

99 



100 CHAPTER 11. A QUANTUM PUBLIC KEY CRYPTOSYSTEM 

11.1 The Cryptosystem 



Before presenting the cryptosystem, we first present some definitions and results from 
algebraic number theory that are important to understanding the cryptosystem. First 
we introduce a few concepts related to algebraic numbers and algebraic integers. 

Definition 11.1. Let a e C. Then we say a is an algebraic number if there exists a 

non-zero p G Z[a;] such that p{a) = 0. Further, if p can be chosen to be monic (that is, 
with a leading coefficient of 1) then we say a is an algebraic integer. 

Definition 11.2. Let a be an algebraic number. Let m e Z[x] be chosen such that 
m{a) = 0, the leading coefficient of m is positive, and the coefficients of m are coprime. 
If we further choose m to be of minimal degree, then m is unique and irreducible and 
called the minimal polynomial of a. 

Definition 11.3. Let R C. C. The set of integers of R, denoted Or, is the intersection 
of R with the set of all algebraic integers. If R is a ring, then Or is also a ring. 

We also introduce the concept of a number field, and the embedding of a number field 
in C. 

Definition 11.4. A number field K is a subfield of C which is finite- dimensional when 
considered as a vector space over Q. The degree of K is the dimension of this vector 
space. 

Proposition 11.5. Let K be a number field of degree n. There exists 9 & K such 
that K = Q[6'], and the minimal polynomial of 6 has degree n. There exist exactly n 
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embeddings of K in C, which are maps in which 9 ^ 9i for i — 1, . . . ,n, where the 6i are 
the distinct roots in C of the minimal polynomial of 9. 

Definition 11.6. Let K be a number field of degree n. Let ai, . . . ,an denote the embed- 
dings of K in C. For any a & K, the norm of a is given by 

n 

1=1 

We now define ideals, prime ideals, cosets, and quotient rings. 

Definition 11.7. Let R be a ring. An ideal of R is a subset ICR with the following 

properties: 

1. I is a subgroup of {R, +), and 

2. if a & I and r & R then ra e /. 

Definition 11.8. An ideal I of a ring R is called a prime ideal if I ^ R and ab & I 

implies a E I or b E I. 

Definition 11.9. Let I be an ideal of a ring R. The set a+I = {a-\- x : a E R, x E 1} is 

called the coset of I corresponding to a. Addition and multiplication of cosets are defined 
as follows: 

• (ai + /) + (02 + i") = (oi + 02) + i" 

• (ai + /) • (02 + /) = (ai • 02) + / 

Proposition 11.10. Let I be an ideal of a ring R. The set of cosets of I is a ring under 
the operations of addition and multiplication defined above. This new ring is called a 
quotient ring and is denoted R/L 
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Finally we mention three more well-known results that we will use later. The second of 
these results is a rewording of Proposition 1 from [OTUOO]. The third is a generalisation 
of Fermat's Little Theorem. 

Proposition 11.11. Let K be a number field and letp be a non-zero prime ideal of Ox- 
Then Ok/P is a finite field. The cardinality ofOx/p is called the norm ofp and denoted 



Proposition 11.12. Let K be a number field of degree n and let p be a prime ideal 
of Ok- Then there exist elements cui, . . . ,u!n £ Ok and ei, . . . , e„ e Z such that the 
elements of Ok / p are uniquely represented by the elements of 



Proposition 11.13. Let p be a prime ideal of Ok, and let g be a non-zero element from 
Ok/P- Then ^^(p)-i = 1 (mod p). 

We now present the cryptosystem. The steps basically correspond to the steps 
in [OTUOO], although some minor variations have been made for clarity. 

To generate a key in this quantum public key cryptosystem, Alice performs the fol- 
lowing steps: 

Algorithm 11.14 (QPKC Key Generation). 

1. Alice selects a set /C of number fields, and integers n and k. (These parameters 
may be chosen to provide the desired level of security for the cryptosystem.) 

2. She randomly selects an algebraic number field K from /C. 



Af{p). 
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3. She selects a prime ideal p of Ok, and a generator g of the multiplicative group of 
the finite field Ok/P- 

4. She chooses n elements pi, . . . , Pn from Ok/P such that the following two conditions 
are satisfied: 

4.1 J\f{pi), . . . ^Mipn) are coprime, and 

4.2 For any subset {ii, . . . , i^} C {1, . . . , n}, the product 11^=1 Pij 
defined in Proposition 11.12. 

5. Alice uses the quantum algorithm for finding discrete logarithms described in Sec- 
tion 3.8 to find qi,...,qn such that pi = gi* (mod p), where Qi e Z_A/(p)-i for 
i — 1, . . . ,n. 

6. She randomly selects a rational integer d in Z^(p)_i, and computes the values 
bi = (gj + d) mod {Af{p) - 1) for i = 1, . . . , n. 

7. Alice's public key is (/C, n, k,bi, . . . , bn) and her private key is {K, p, g, d,pi, . . . ,Pn)- 



Note that the condition in Step 4.2 seems complicated to check, but based on the 
set of number fields selected, it may be possible to simphfy it. For example, in [OTUOO] 
the authors present a version of this scheme that sets JC to be the set of all imaginary 
quadratic number fields. In this particular case, by using some further results from 
number theory, it can be shown that checking the condition amounts to verifying that 
some bounds are met on the size of the norms of the pj. Similar simplifications may be 
possible for other choices of /C, and one general method is presented in [OTUOO] (although 
this method results in an encryption scheme with a low information rate) . 
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To encrypt a message for Alice, Bob performs the following steps: 
Algorithm 11.15 (QPKC Encryption). 

1. He starts with a message m of length [log (^^)J bits. 

2. He uses the following procedure to encode m into a binary string s = siS2 ■ ■ - Sn oi 
length n bits and of Hamming weight k: 

2.1 He sets I k. 

2.2 For i from 1 to n: 

If m > ('^7') then Bob sets Si^l,m^m - and Z ^ Z - 1. 

Otherwise, he sets Sj <— 0. 

3. Bob computes the encrypted message c = ^"^^ Sibi. 

To decrypt the ciphertext and recover the original message, Alice does the following: 
Algorithm 11.16 (QPKC Decryption). 

1. She computes r — {c — kd) mod (-/V(p) — 1). 

2. She computes u e Ok such that u — mod p. 

3. She finds an element v such that u and v are in the same coset of p, and v is in the 
set R defined in Proposition 11.12. 

4. Alice recovers s from v as follows: 

4.1 For i from 1 to n: 
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If Pi 1 1) then she sets Si <— 1. 
Otherwise she sets 0. 

5. Ahce recovers m from s as foUows: 

5.1 She sets m <— 0, and / k. 

5.2 For i from 1 to n: 

If Si — 1, then set m m + and / i — 1. 



Theorem 11.17. The decryption procedure works properly. 

Proof. First consider the value u computed by Ahce in the decryption procedure. Note 
that 

u = mod p 
= grc-ferf jnod p 

^^(Er=i^ife+'i))-'=<imodp 

n 

= ]^(5f''')*' mod p 

i=l 

n 

= Y\pT p. 

1=1 

Next consider the element v E R such that v = u (mod p). We claim that in fact 
V — YYi=iPT- Suppose that the claim is not true. By the condition in Step 4.2, since 
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exactly k of the Si are 1 and the rest are 0, HILi Pi' element of R. Since the elements 
of R are in distinct cosets of p it must be true that v ^ nr=iK' {^od p). Finally, since 
V = u (mod p) we must have u ^ Y[i=i pT i^od p) which is a contradiction. Thus 



As pointed out in [OTUOO], it is not always true that Ok is a unique factorisation 
domain. However, note that 



by the definition of the norm. By the condition in Step 4.1, J^{pi), . . . , A/'(pn) were all 
chosen to be coprime. As a result there is a unique decomposition of into a product 
of the H{pi)i and hence a unique decomposition of v into a product of the pj. 

The remainder of the decryption algorithm finds this unique decomposition of v into 
a product of the pi, recovering the correct values for the Sj, and then correctly decodes 
the Si back to the message m. D 



Consider the task faced by an passive attacker Eve who wishes to determine the private 
key from the public key. It is hard for Eve to determine the correct number field K from 
the set IC, since /C could be exponentially large. If the field K were revealed in some 
way, there could be exponentially many generators g for the field. Since only a small 
number of elements from Ok/P are chosen as the pi, it is unlikely that an attacker could 
correctly determine even a small subset of the pi, and in order for some known attacks on 




11.2 Security Of The Scheme 



11.2. SECURITY OF THE SCHEME 



107 



similar schemes to succeed, a large subset is required. Further, even if a large subset were 
determined, the attacker would still have to find the onc-to-onc correspondence between 
the known pi and the bi. This task should be difficult without knowledge of both g and 
d since the relationship between an element and its discrete logarithm tends to appear 
random. These observations from [OTUOO] are all heuristic, but they do seem to indicate 
that it should be difficult for an attacker to determine the private key from the public 
key. 

To determine the plaintext of a message from a ciphertext, the attacker must solve 
an instance of the following problem: 

Problem 11.18 (Subset-Sum Problem (SSP)). Given the positive integers c and 
bi, . . . , bn, find mi, . . . m„ e {0, 1} such that c — Yl^=i ^i^i- 

SSP is known to be NP-complete, and thus it is unlikely that there is a polynomial- 
time algorithm that solves general instances of the problem. However, there are algo- 
rithms that have been successful in solving instances that satisfy certain conditions. The 
density of an instance of SSP is defined as 



There are algorithms based on the LLL algorithm that are generally successful at solving 
SSP instances with a density less than 0.9408 [CL0S91]. This and similar attacks have 
been used to successfully cryptanalyse other schemes based on the hardness of SSP, 
and so to avoid these attacks, we wish to ensure that we can choose parameters for 
this quantum cryptosystem that result in a sufficiently high density. Indeed, as shown 



n 
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in [OTUOO] , the implementation of the scheme with /C chosen to be the set of imaginary 

quadratic number fields results in a density that is at least 1, and this provides some 
evidence that the scheme could resist such an attack. 



Chapter 12 



Diffle-Hellman Key Establishment 



So far we have described a number of public key encryption schemes, which allow Bob 
to send a secret message to Alice even if they have never met before to agree on a secret 
key In the following chapters, we will discuss key establishment protocols, in which Alice 
and Bob (who still may never have met before) send a series of messages over a public 
channel, they each perform some mathematical operations, and they each obtain a copy 
of a secret key If Eve is listening on the public channel and intercepts all of the messages 
sent between Ahce and Bob, she should not be able to determine this secret key Once 
a secret key has been established, Alice and Bob can use it to encrypt messages for one 
another using a symmetric key encryption scheme, for example. The first proposed key 
estabhshment protocol was the Difhe-Hellman protocol. 

109 



110 CHAPTER 12. DIFFIE-HELLMAN KEY ESTABLISHMENT 

12.1 The Protocol 

The Diffie-Hellman key establishment protocol works as follows: 

Algorithm 12.1 (Diffie-Hellman Protocol). 

1. Alice and Bob agree on a group G of prime order p and a generator g of G. (These 
choices can be made public.) 

2. Alice selects an integer a uniformly at random from {0, ... ,p — 1}. She computes 
the value g"- and sends it to Bob. 

3. Bob selects an integer b uniformly at random from {0, . . . ,p — 1}. He computes the 
value g^ and sends it to Alice. 

4. Bob uses b and the value he receives from Alice to compute (gf")^ — g"-^. 

5. Alice uses a and the value she receives from Bob to compute {g^Y — g^^. 



At the end of the protocol, Alice and Bob share the secret value g""^, which they can 
use to derive a secret key. 

12.2 Security Of The Protocol 



The only values that are sent on the pubhc channel are g"' and g^. This means that in 
order to determine the secret key, Eve must solve the following problem: 
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Problem 12.2 (DifRe-Hellman Problem (DHP)). LetG be a group of prime order 

p, and let g be a generator of G. Given g, g"', and g^ where a and b are selected uniformly 
at random from {0, ... ,p — 1}, find g"'''. 

Note that if Eve can solve the Discrete Logarithm Problem (DLP) she can solve DHP: 
she can simply compute a from g"', and then compute (5'^)" = g"'''. In other words, DHP 
is polynomial-time reducible to DLP. There are some groups in which it is also true that 
DLP is reducible to DHP, but this is not known to be true in general: the equivalence of 
DLP and DHP in general remains an open problem. It is clear, however, that the group 
G must be chosen carefully so that DLP is computationally infeasible in G, such as the 
multiplicative group Z* where p is prime, or the group of points on an elliptic curve over 
a finite field. For more examples of such groups, see [MvOV96]. 

The most common attack on the Diffie-Hellman protocol is not to solve DHP directly 
but rather to solve DLP. Thus the algorithms discussed in Chapter 6 are the best classical 
algorithms currently known to break the scheme. Recall that these algorithms all require 
superpolynomial time and so the Diffie-Hellman protocol is widely thought to be secure 
against a passive adversary with a classical computer. However, because of the existence 
of a polynomial time quantum algorithm for DLP as discussed in Section 3.8, the protocol 
is not secure against an adversary with a quantum computer. 



Chapter 13 



Buchmann- Williams Key 
Establishment 



The Buchmann- Williams key establishment protocols are protocols whose security is 
based on the hardness of problems in algebraic number theory. There are two versions of 
the protocol, one which takes place in an imaginary quadratic number field [BW88] and 
another which takes place in a real quadratic number field [B W90] . The imaginary version 
of the protocol is the Diffie-Hellman protocol set in a particular finite Abelian group, 
whereas the real version of the protocol is a variation on the Diffie-Hellman protocol set 
in a finite set that is "group- like" . 
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13.1 The Protocol 



Before presenting the protocol, we mention some important definitions and results. For 
more details, see for example [Coli93] or [Jac99] . 

Definition 13.1. Let A be a non-square integer congruent to or 1 mod 4. The quadratic 
field of discriminant A is 

Q[VA] =q + Vaq. 

The quadratic order of discriminant A is given by 

If A < we call Oa an imaginary quadratic order, and if A > we call Oa a real 
quadratic order. In either case, Oa is a subring of Q[\/A] . 

Definition 13.2. A fractional ideal of Oa is a subset o/Q[\/A] of the form 

( ^ h + ^/A\ 
o = g I aZ + 1 

where q & Q, a,b & Z, a,q > and b^ = A (mod 4a). We denote a by the triple {q, a, b). 
If q — 1 the ideal is called a primitive ideal. 

Like the ideals introduced in Definition 11.7, a fractional ideal of Oa is invariant 
under multiplication by elements of Oa- However, unlike those ideals, a fractional ideal 
of Oa is not necessarily a subset of Oa- 

We can define a multiphcation operation on ideals as follows: 
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Definition 13.3. Let a and b be ideals of Oa- The product of a and b is 

ab = < ab : U <z ax b, \U\ < oo 

[ {a,b)eU 

The product ab is also an ideal of Oa; that is, the set of ideals is closed under 
multiphcation. The order Oa itself acts as a multiplicative identity since aOA = C'aO = 
a. 

Definition 13.4. An ideal a is said to be invertible if there exists an ideal a~^ such that 
aa-^ = Oa. 

Definition 13.5. An ideal a is said to be principal if there exists an element a E Q[-\/A] 
such that a = aOA- 

The set of invertible ideals forms a group under multiplication; this group is denoted 
I A- Every principal ideal is invertible, since (q;Ca)~^ = q;~^Ca, and in fact the set of 
principal ideals forms a subgroup of I a', this subgroup is denoted Va- We now come to 
a very important definition: 

Definition 13.6. The class group of Oa is the factor group Ta/Va, and is denoted by 
CI A- The class number of Oa is the order of CI a, and is denoted by Ha- 

Thus the class group CI a is a set of equivalence classes, where two invertible ideals a 
and b are in the same equivalence class if and only if there is some principal ideal aOA 
such that aO Aa = b. It turns out that these equivalence classes form a finite Abelian 
group under the multiplication operation defined above. 
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The above definitions are the same for both imaginary and real quadratic orders, 
but many of the properties of these two types of quadratic orders arc quite different. 
We will first describe some further properties of imaginary quadratic orders and their 
class groups and present the imaginary Buchmann- Williams key establishment protocol 
from [BW88] . We will then describe some further properties of real quadratic orders and 
their class groups and present the real Buchmann- Williams key establishment protocol. 
The real version of the protocol was first pubhshed in [BW90] , although the presentation 
in [SBW94] is considerably more detailed and complete. 

13.1.1 The Imaginary Case 

In this section we assume that A < so that Oa is an imaginary quadratic order. 
Definition 13.7. Let a be a primitive ideal of Oa with the representation 

= aZ + Z 

where a,b & 7^, a > and = A (mod 4a). Let c — ^-j^- Then a is called a reduced 
ideal if < b < a < c, or if < —b < a < c. 

When dealing with the equivalence classes that are the elements of a factor group, 
ideally we would like to have a canonical representative of each equivalence class so that 
we can use those representatives for computation. (For example, in the factor group 
Zp = Z/pZ we use the representatives 0, 1, ... ,p — 1 for the equivalence classes.) In the 
case of imaginary quadratic orders, each equivalence class in CIa contains exactly one 
reduced ideal. Thus we can choose the set of reduced ideals to be the set of canonical 
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representatives for the elements of CI a- There are algorithms that, given any ideal in 
Xa, can efficiently compute the equivalent reduced ideal; we can use these algorithms and 
modifications of them to compute reduced products, powers, and inverses of all invertible 
ideals [Jac99]. 

It is also important to note that the class number Ha is typically close to -\/A, so there 
are approximately -\/A equivalence classes in CI a- Further, a well-supported conjecture 
by Cohen and Lenstra predicts that CI a is typically cyclic or "nearly cyclic" (for example, 
the direct product of a large cychc group and a much smaller one) [Coh93] . 

We can now describe the imaginary case of the Buchmann- Williams key establishment 
protocol. The idea is that, Alice and Bob agree on some element g e CIa and perform 
the standard Diffie-Hellman protocol in the subgroup generated by 0, 

{9) = {Oa,Q,9^...,9'-'} 

where r is the order of g. 

The protocol works as follows: 
Algorithm 13.8 (Buchmann- Williams Protocol (Imaginciry Ccise)). 

1. Alice and Bob agree on a discriminant A < 0, A = 0, 1 (mod 4) and a reduced 
ideal g of Oa- (These choices can be made public.) 

2. Alice chooses an integer a uniformly at random from {1, . . . , [\/A J }. She computes 
the value and sends it to Bob. 

3. Bob chooses an integer b uniformly at random from {1, . . . , [-\/A J}. He computes 
the value g^ and sends it to Ahce. 
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4. Bob uses h and the value he receives from Ahce to compute — g"^. 

5. Ahce uses a and the value she receives from Bob to compute {q^Y — q"^. 

At the end of the protocol, Alice and Bob share the secret ideal g"^, which they can 
use to derive a secret key. 

13.1.2 The Real Case 

In this section we assume that A > so that Oa is a real quadratic order. Let n = log A. 
We can still define a reduced ideal, but the definition changes shghtly: 

Definition 13.9. Let a be a primitive ideal of Oa with the representation 

= aZ + Z 
where a,b ^1^, a > and 6^ = A (mod 4a). Then a is a reduced ideal if 

VA - 2a <b< VA. 

We also define the units and the regulator of a real quadratic order: 

Definition 13.10. An elements e Oa is called a unit if there exists an elements' e Oa 
such that ee' — 1. The fundamental unit of Oa is the smallest positive unit greater than 
1 in Oa, and denoted Sa- 

Definition 13.11. The regulator of the real quadratic order Oa is log£A; and denoted 
Ra- 
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Unlike the imaginary case, it is not true in the real case that each equivalence class 
of C^A contains exactly one reduced ideal; we can say only that each equivalence class 
contains a finite number of reduced ideals. The class number is typically very small, often 
/lA = 1, 2, etc., meaning that there are very few equivalence classes in CIa and each one 
contains many reduced ideals. In fact, HaRa ~ \/A and in this way, the regulator of the 
order is in some way a measure for how many reduced ideals occur in each equivalence 
class. 

Because Ha is generally very small in a real quadratic order, CI a is a poor choice for 
a group for the typical Diffie-Hellman key establishment. However, in [Sha72] Shanks 
proposed a method that could be used to organise the set of reduced ideals in any 
equivalence class into a structure that is not a group structure, but "group-like" in some 
respects, which he called the "infrastructure" of the class. 

Shanks proposed a real- valued "distance" function that defines the distance between 
any two reduced ideals in the same equivalence class. This function implies an ordering 
of the reduced ideals: they can be arranged in order of increasing distance from the unit 
ideal Oa- 

Definition 13.12. The distance between two reduced ideals a and b is denoted (5(a, b). 
We will use 5(a) as a shorthand for 5(a, Oa)- 

Shanks also defined a function p that given any reduced ideal would determine the 
next reduced ideal in the ordering. By repeatedly applying the p operator to Oa, we 
eventually obtain all of the reduced ideals in the equivalence class, and then again obtain 
Oa- In other words, the ordering is a cyclical ordering of the reduced ideals. The total 
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distance around the cycle of reduced ideals (using Shanks's distance function) is Ra (the 
regulator of Oa)- 

We can perform several operations with the reduced ideals in this infrastructure, as 
described for example in [Jac99]. One of the most important operations is the following: 
given a reduced ideal a and a real number x, we can compute the last reduced ideal 
whose distance from o is no more than x (modulo Ra)- If we think of the reduced ideals 
as being arranged on a circle of circumference Ra, this operation corresponds to starting 
at the point on the circle corresponding to o, proceeding around the circumference a 
distance of x, and selecting the last reduced ideal we encounter. As a result, this ideal is 
sometimes called the ideal to the left of x (relative to a) . 

Definition 13.13. We will denote the ideal to the left of x (relative to a) by X{x, o). We 
will use X{x) as a shorthand for X{x, Oa)- 

We can also define the error of the ideal to the left of x (relative to o) which quantifies 
how well the true distance between X{x,a) and o approximates x: 

Definition 13.14. The error of X{x, a) is denoted e{x, a) and is defined by 

e{x, o) = (x - 5iX{x) , a)) mod Ra- 
We will use e{x) as shorthand for e{x, Oa)- 

The concepts of the ideal to the left of x and the error of this ideal are illustrated in 

Figure 13.1. In the figure, we are working relative to OA- 
It should be noted that the distances with which the participants in the protocol must 

work are all real numbers, and so to perform the required calculations exactly would 
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Oa 




Figure 13.1: The Cycle Of Reduced Principal Ideals 

require infinite precision. The participants must therefore choose some finite precision 
within which to perform all of the calculations, and as a result there may be round-off 
errors that propagate through the protocol. These potential round-off errors force the 
participants to perform an extra "clean-up" round of communication after the one usual 
round of a Diffie-Hellman-like exchange in order to make sure that they share the same 
value. 



We can now sketch the protocol. There are many details of the implementation that 
are omitted in the presentation below; for a more complete description of the protocol, 
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refer to [SBW94]. 

Algorithm 13.15 (Biichmann- Williams Protocol (Real Case)). 

1. Alice and Bob agree on a discriminant A > 0, A = 0, 1 (mod 4) and an equivalence 
class of CIa- (These choices can be made public.) 

2. Alice chooses an integer a uniformly at random from {1, . . . , [a/A J }■ She computes 

a, the ideal to the left of a; that is, a = X{a). She also computes e{a) and sends a 
and e{a) to Bob. 

3. Bob chooses an integer b uniformly at random from {1, . . . , [-s/A J}- He computes 

b, the ideal to the left of b; that is, b = X{b)- He also computes s{b) and sends b 
and e{b) to Alice. 

4. Alice computes Ca, the ideal to the left of a + e(b) (relative to b); that is, 
Ca = X{a + e{b) , b). 

5. Bob computes c^, the ideal to the left of 6 + e{a) (relative to o); that is, 
Cb = X{b + e{a),a). 

6. Alice and Bob send each other one classical bit which allows them to determine 
whether Ca — Cb- If this is not true, Alice and Bob make small adjustments 

(see [SBW94]) after which they are certain that they have computed the same 
ideal. 



At the end of the protocol, Ahce and Bob share a secret ideal which they can use to 
derive a secret key. 
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In this section we discuss the security of each of the two cases of the Buchmann- Williams 
protocol. As we will see, both cases are susceptible to attacks with a quantum com- 
puter. In order to break the real case of the protocol, however, we will need two recently 
discovered quantum algorithms. 

13.2.1 The Imaginary Case 

Since the imaginary case of the Buchmann- Williams protocol is equivalent to the Diffie- 
Hellman protocol, as mentioned in Chapter 12 the scheme would be broken if the Dis- 
crete Logarithm Problem (DLP) could be solved efficiently in the group CI a- There are 
no known efficient classical algorithms to solve DLP in this group, however: the best 
known algorithms still require superpolynomial time, like that in [Jac99]. Furthermore, 
in [BW88] it is mentioned that if an efficient algorithm to solve DLP in C/a did exist, it 
could likely be used to factor A. 

The group could possibly admit attacks that did not depend on solving DLP but on 
solving the Diffie-Hellman Problem (DHP) directly, but again, there is some evidence 
described in [BW88] that these attacks could also lead to algorithms to factor A. These 
facts suggest that breaking the scheme with a classical computer is at least as hard as 
the factoring problem, which we beheve to be hard. We therefore beheve the protocol to 
be secure against a passive adversary with a classical computer. 

However, as mentioned in Section 3.8, there is an efficient quantum algorithm to solve 
DLP. In other words, this protocol is not secure against a quantum adversary. 
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13.2.2 The Real Case 

Consider the following variation of DLP as proposed in [BW90]: 

Problem 13.16 (Principal Ideal Distance Problem (PIDP)). Given a principal 
ideal a of a real quadratic order O^, compute Sio), its distance from 0\. 

Suppose an adversary can solve PIDP. When Alice sends a and e{a) to Bob, the 
adversary can compute 5(a), and hence determine 5(a) +£(a) = a. The adversary then 
has knowledge of Ahce's private value a (to some finite precision) . With this knowledge, 
with good probability the adversary can construct the shared secret in the same way 
Alice does, and the protocol is broken. That is, an algorithm to solve PIDP would allow 
an adversary to break the real version of the Buchmann- Williams key establishment 
protocol. 

There is evidence that PIDP is hard to solve with a classical computer. It is shown 
in [BW90] that an efficient solution to PIDP would result in an efficient algorithm to 
compute the regulator i?A- Further, it is shown in [Sch82] that an efficient algorithm to 
compute i?A would result in an efficient algorithm to factor A. Thus, PIDP is at least 
as hard as the factoring problem, which we believe to be hard with a classical computer. 
We therefore believe the protocol to be secure against a passive adversary with a classical 
computer. 

However, as recently discovered by Hallgren [Hal02], we can efficiently solve PIDP 
with a quantum computer. Therefore the real version of the Buchmann- Williams key 
establishment protocol can be broken by a passive adversary with a quantum computer. 
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The remainder of this chapter introduces the new quantum algorithms that efficiently 
solve PIDP. Suppose we are given a quadratic order Oj\. We will describe two algorithms: 
one that computes Ra, and another that given Ra solves PIDP. The description of these 
algorithms in [Hal02] is quite terse, and the presentation below attempts to provide 
more details and to correct some of the minor errors in [Hal02]. A similar but indepen- 
dently constructed clarification of the algorithm to compute the regulator can be found 
in [Joz03] , along with much of the background material already presented in this chapter. 

13.2.3 Computing The Regulator 

As mentioned above, much of the material in this section can also be found in [Joz03]. 
However, except where noted, the presentation here was developed independently. 

We work in the identity class of CI a- Consider the function g: R — )• VaX K defined 

by g{x) = {X{x) , s{x)) for all x e M. 

Proposition 13.17. The function g is one-to-one on the interval [0, Ra) and periodic 
with period Ra- 

Proof. If g{x) = g{y) for any x,y e [0, Ra), then X{x) = X{y) and 




y 



S{X{y)) (mod Ra) 



X - S{X{x)) 



y 



S{X{x)) (mod Ra) 



X 



y 



(mod Ra)- 



Further, x,y & [0, Ra) so it follows that x = y, and g is one-to-one on [0, Ra)- 
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Since the distance around the cycle of reduced ideals is R/\, it follows that for any 

a; e R, 

g{x + Ra) = {\{x + Ra) , e{x + Ra)) 
= (A(x),£(x)) 

so g is periodic with period Ra- '-' 

We now have a periodic function with a domain of IR. We would like to use techniques 
similar to those from Section 3.4 to find the period of the function, but in order to compute 
with the function we first have to modify it slightly so that its domain is some discrete set. 
Such a modification will also have the effect of making the function no longer "perfectly" 
periodic, but we will still be able to recover a close approximation to the period. 

More specifically, as in [Hal02] we can define what it means for a function with an 
integer domain to be "periodic" with a real (not necessarily integer) period. We use the 
definition presented in [Joz03]: 

Definition 13.18. Let X be any set. A function f : Z — > X is called weakly periodic 
with period s e R if for all integers k, < k < s, and for all non-negative integers j, 
either 

1. f{k) = f{k+[js\), or 

2. f(k)^f(k+\js]). 

For brevity we will write f{k) — f{k + \js]) to indicate that one of the above conditions 
is satisfied. The satisfied condition may vary with k and j. 
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(Here we use the notation [x\ to denote the largest integer less than or equal to x, 

and Ix] to denote the smallest integer greater than or equal to x. We will also use the 
notation [x] to denote the closest integer to x.) 

We now define a weakly periodic function by slightly modifying the function g. Given 
a positive integer N, we define g: Z — )• Va x Z by g{j) — (a(;^) , [-^^(:i^)J) 
integers j. 

As we will see, this function does not precisely satisfy the definition of a weakly 
periodic function, but by choosing N wisely we can ensure that it satisfies the definition 
for a large fraction of the integers k, < k < s. This statement is made more specific in 
the following theorem: 

Theorem 13.19. IfN > then the function g is one-to-one on the interval [0, NR^) 
and g{k) — g{k-\-\jNRA\) for at least a ^1 — ffo,ction of the integers k e [0, NR^). 

Note that in the analogous theorem in [Hal02], it is stated without proof that we 
should require only N > n\/~K. However, precise analysis in [Joz03] proves the existence 
of the lower bound on N given in Theorem 13.19; so we use that lower bound here. 

Proof. First we show that g is one-to-one on the interval [0, NR^)- 
If g(j) = g(k) for any j, k E [0, NRa) then x{j^) = a(^) and 
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for some a with \a\ < 1. Dividing both sides by N, we get 





j_ 

N 



A 

N 



j_ 

N 



3_ 

N 



F-'^(A(^)) + § (modi?A) 
^ + ^ (modi?A). 



Since < j,k < A^i?A, we must have < < Ra- Therefore, — ;^ + 

Further, since j,k & 'Z and \a\ < 1, we must in fact have a — 0, so j — k and thus g is 
one-to-one on [0, NRa)- 

Now we wish to show that g{k) — g{k + [jNRA\) for a sufficiently large fraction of the 
integers k G [0,NRa)- Choose any reduced ideal a, and consider the interval between 
the distance of o and the distance of the next ideal in the cycle; in other words, the 
interval / = [(5(a) , 5(p(a))). By a proven bound on the distance between consecutive 
ideals developed in [Joz03] we know that / has length at least 

Since we are given N > we know that > and hence there are at least n 

integers k in [0, NRa) for which & I- Let S be the set of all such integers. 

For any k E S, xi^jj:) — a. Further, ii k minS and k ^ max 5", and a is chosen 
such that < cr < 1, then maxS* < /c ± a < min^, so 



Fix some value of j, and define the quantity a\ — jNRa — |_jWi?Aj • We assume that 

jNRa ^ Z, so < CTi < 1. 

We consider two cases: 



A(^) = A(#) = a. 



(13.1) 
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1. If we round down the value of JNRa, 

= A(|) by Equation (13.1). 

2. Similarly, if we round up the value of jiVi?A, 

= a(;|) by Equation (13.1). 
Thus for any k & S, k ^ min S, k ^ max 5", 



Now define the quantity a2 = Ne{j^) - lNe{j^)\ . Then < as < 1. 
Again, we consider two cases: 



;i3.2) 



1. If (7i < (72, then 



Ne(^±M3^)\^lNe{^ + jR^)\ 

= [iV(^-5(A(^)))J 

= L^(#-t-^(A(#)))J 

= [A^£(;|)J since ai < 02- 
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2. If (Ti > (72, then similarly 



= [iVs(A) + (l-aOj 

= [iVe(;|:)J since 1 - (7i < 1 - (72. 



Thus for any k & S with k ^ min S, k ^ max 5", 



Combining Equation (13.2) and Equation (13.3), we see that 



g{k + \jNRA])^9{k). 



:i3.3) 



(13.4) 



Since \S\ > n and k can take on all but two of the values in S, Equation (13.4) is 
satisfied for at least a (l — ;|) fraction of the integers k & S. The same argument can be 
made for the interval between any two reduced ideals. Thus Equation (13.4) is satisfied 
for at least a (l — ;|) fraction of the integers k G [0,NR^). (This bound can in fact be 
improved to a (l — ^) fraction with a slightly different analysis like that of [Joz03], but 
the bound presented here is still sufficient.) 

Therefore as required, g{k + {jMRa]) — g{k) for at least a ^1 — fraction of the 
integers A; e [0,A^i?A). ^ 



We can now describe the core of the quantum algorithm to compute the regulator. 
The algorithm will calculate an approximation to s = NR\, from which we can recover 
i?A. Like in Algorithm 3.11, we assume that we have a unitary operator that maps 
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k) \y) ' — k) \y ® 9i^))- We also assume that we are given an integer m > 3s^, al- 
though if the approximate size of s is unknown, we can use a technique similar to that 
of Section 3.4, where we repeatedly double m until the algorithm succeeds. 

Algorithm 13.20 (Core Of Computing The Regulator). 

1. Start in the state |0) |0) G ® H/, where / is chosen such that / bits are sufficient 
to encode any point in the range of g. 

2. Apply QFT^ to the first register. 

3. Apply \Jg to the system. 

4. Measure the second register. 

5. Apply QFT^ to the first register. 

6. Measure the first register to obtain the integer y. If y > ^, begin the procedure 
again. 

7. Otherwise, return y. 



Theorem 13.21. With probability in ), the output of Algorithm 13.20 satisfies 



Proof Sketch. After Step 3 our system is in the state |0) = Y^^=q k) Ifl'(^))- When 
we measure the second register in Step 4, we see a value and we leave the first register 
in a superposition of all states in which z appears in the second register. 




y = \ k'^~\ for some integer k. 
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We now determine this superposition. Let m — [ps\ +r where p,r & and < r < s; 
in other words, m ^ ps. By Theorem 13.19 we know that for an inverse polynomial 
fraction of the integers k with < k < s, g{k) — g{k + \js]). So with high probability, if 
z — g{k), then z — g{k + [js]) for all j', < j < p. Thus we can say that after Step 4 we 
leave the first register in a state that is "close to" 

This is not exactly the state of the first register, since the function g is not exactly 
weakly periodic. The consequences of using this approximate data are not explicitly 
analysed in [Hal02] or [Joz03]. However, both claim that because of the large fraction 
of integers k for which g{k) = g{k + \js]) (see Theorem 13.19) the approximation is 
close enough for the algorithm to succeed. Similarly, the remainder of the analysis here 
assumes that the first register is in the exact state l'^). 

After applying QFT^ to l^') in Step 5, we obtain the state 

p— 1 m— 1 

e m \X) 



1 _ _ ' _ 

:=0 

= 5:5:' 

It is interesting to note that the global phase coefficient e ^ does not affect the 



m—l p—1 

= R--m— > > e^"*^^ IX) 

/pm 

^ x=Q j=0 



,2m- 



2 



1. (In 



probability distribution of the results of measuring this state, since 
other words, we can assume without loss of generality that k = 0. It is a general property 
of the Fourier sampling method used by this algorithm that given a group G and a subset 
X of G, the distributions induced by applying the method to the superpositions X^^ex 1^) 
and J2xex \9 + ^) identical for every g G G [Hal02].) 
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The probability of obtaining a particular measurement result y in Step 6 is therefore 
given by 



1 ^ 
/pm ^-^ 



(13.5) 



As in [Hal02] (but in more detail) we now analyse this distribution. 

Fix a value y = [/cy] for some integer k, and let y = + s where — | < s < |. For 
each j, < j < p, let [js] — js + Sj, where —1 < Sj < 1. 

Then note that 



— =(- + -) {js + 6j) 
m \s m J 

ejs kSj eSi 

m s m 



;i3.6) 



Recall that in Step 6 we accepted only values of y that satisfied y <—. Thus 



km 

+ £ < 

s 

k e 
- + — < 
s m 

k5j ^ e6j 
s m 



< 



k5 
s 



1 + ^ 
m 



< 



m 

n 
1 

n 

^ 
n 

1 

n 



(13.7) 



Further note that — 

m 



i (^) and 

p J \ m J 



esp 




esp 


m 




sp 



1 

< -. 

- 2 



:i3. 



We now appeal to Claim 3.2 of [Hal02], which we re-state more precisely but do not 
prove. (See [Joz03] for a proof of the claim's correctness.) The claim is the following: 
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Proposition 13.22. Let n and q be positive integers, let a be a constant, \a\ < |, and 

/e^ /9: Z — > M be a function such that < ^ for all j,0<j<q — 1. Then there 

exists a constant c such that if n & O(logg); 

q-l 



i=o 



27ri(ia+/30)) 



If we let = ^ + ^ and a = ^, then by Equation (13.7) and Equation (13.8), 
respectively, the hypotheses of Proposition 13.22 are satisfied. 

Further, combining Equation (13.5) and Equation (13.6), we see that 

2 



P, 



1 / /, ^js k5j eS^ 
— > exp {2m [ kj + — -{ -+ ^ 

rym ' \ \ m s 



pm 



1 

1 
pm 



expi2m{ —-{ ^ H ^ 

V V m s m 

3=0 ^ ^ 



p-1 



m 

2 



^e27ri((i)a+^(j)) 



j=0 



We can therefore apply Proposition 13.22 to the above sum, and deduce that 

„ 1 9 C 

Py > Cp -. 

pm s 

Finally, we calculate the number of y that satisfy the conditions of the theorem. By 
the condition in Step 6 we know that < y < ^. Using the fact that logs > n, we can 
obtain a lower bound on the number of such y by counting only those that satisfy 



0<y < 



m 



logs 



(13.9) 



If < \k—] < r^-i then < k < (approximately); so there are values of y that 

— L si — logs' — — logs ^ -" logs 

satisfy the conditions of the theorem and Equation (13.9). 
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The probabihty that the output of the algorithm satisfies the conditions of the theorem 

is therefore at least 



logs ^ 



logs s 

c 



logs 



which is in O (j;^^ as required. 



□ 



The basic statement of Theorem 13.21 is that the probability of measuring such an 
integer y is considerably higher than selecting the integer y uniformly at random from 
0, . . . , m — 1. 

The remainder of the algorithm to compute the regulator is purely classical and similar 
to Algorithm 3.11 to solve the bounded case of the Integer Hidden Subgroup Problem 
(IHSP); we do not prove its correctness here (see [Hal02] or [Joz03]). The algorithm 
works as follows: we run Algorithm 13.20 twice, obtaining integers yi and y2 which by 
Theorem 13.21 with high probability are equal to [/ciy] and [fey] for some integers ki 
and fe- Also, with high probability, gcd(/ci,/c2) — 1- Applying the continued fraction 
algorithm from Section 3.4 to ^, and using an algorithm from [Hal02] to test whether a 
given integer is "close to" a multiple of s, we can recover the integer ki. 

Once we have recovered ki, we can compute 

kiui 



a — 



kim 
k^ 



136 



CHAPTER 13. BUCHMANN-WILLIAMS KEY ESTABLISHMENT 



The final step of the algorithm is to compute note that 



la — s| < 1 



la - A^i?A| < 1 



1 



In other words, this polynomial time quantum algorithm allows us to determine the 
regulator to arbitrary precision depending on our choice of N. 



13.2.4 Solving The Principal Ideal Distance Problem 

After computing the regulator, we can use another new quantum algorithm from [Hal02] 
to solve PIDP. Given an ideal a, let the (unknown) distance of a be a. The goal of the 
algorithm is to find a. We will use an algorithm similar to the algorithm in Section 3.8 
for solving the Discrete Logarithm Problem (DLP). 

We begin by defining a new periodic function, as suggested in [Zal03], that is based 
on the function g from the previous section, although this new function has a two- 
dimensional domain. Consider the function /i : Z x M — > Va x defined by 

h{j:X) = g{aj + x) 

= {X{aj + x) ,e{aj + x)) . 

We briefly justify that this function is periodic with a two-dimensional period given 
by Pi = (0, Ra) and p2 = (-1, a): 

1. Note that h{{j, x) + pi) — h{j, x + Ra) — g{o,j + x + Ra) — g{cij + x) since g is 
periodic with period Ra by Proposition 13.17. 
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2. Note that h{{j, x) + P2) — h{j — l,x + a) — g{a{j — 1) + x + a) — g{aj + x). 

Thus h is indeed a periodic function with the given two dimensional period. Note that 
the unknown value a appears in p2, so if we could find the period of this function, we 
could solve PIDP. 

As in the previous section, we cannot easily compute with h, since the domain is not a 
discrete set. We therefore modify h slightly, and define a new function h: Z x Z — > Va x ^ 



natural way.) This function h is the function proposed in [Hal02] and it is the function 
on which the solution to PIDP is based. 

At first it seems as though we cannot evaluate h since we do not know a. However, 
using an algorithm described in detail in [SBW94] , given we can compute the ideal to 
the left of 5{cir) ji and its error; that is, we can compute X{aji) and s{aji). Since the 
value ^ is known, we can use the methods described in Section 13.1.2 (in fact the same 
methods that Alice and Bob use to carry out the real Buchmann- Williams protocol) to 
compute X(aji + ^) and ^(aji + ^). (Note that at the end of these computations we 
still do not know the value of a.) 

We will solve a problem similar to the Hidden Subgroup Problem (HSP), although 
in this case we do not have a hidden subgroup, but instead a hidden "group-like set". 
Consider the set T = {(s, i) e Z x Z : (as + j^) mod Ra < ;^}- The function h is con- 
stant on T because the interval [O, -j^) is short enough that it contains only the ideal Oa, 



by 




(Note that /i(ji, J2) = 9 {aji + ^) where the domain of g has been extended to M in the 
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and thus for any x in the interval X{x) — Oa and [Ne{x)\ — 0. So for any {s,t) e T, 
h{s,t) = (Oa,0). 

Next consider a coset of T, say T + {u, v). We can write this coset as follows: 

T + {u,v) = {{s,t) e Z X Z : {a{s - u) + mod < j^} 

- {{s,t) eZxZ : {as + - {us + j^)) mod i?A < jf} ■ 

In other words, this coset of T is the set of points (s, t) such that as + is in the interval 
of length jj: starting from us + j^. We will denote this interval by I(u,v)- 

Unlike in an instance of the typical HSP, the function h is not necessarily constant 
on the cosets of T. For example, suppose there is an ideal b in the interval Then 
for the points x e I(u,v) after b, \{x) = b, but for the rest of the points x, X{x) = p~^(b) 
(the previous ideal in the cyclical ordering) . Similarly, if there is a point y e I{u,v) such 
that the distance from y to X{y) is a multiple of then the value of [N e{x)\ will change 
depending on whether x occurs before or after y. 

It is in fact true that h could take on at most 3 values on any coset of T, in the case 
where the corresponding interval contains both an ideal b and a value y such that the 
distance from y to X{y) is a multiple of Consequently, h must be constant on at least 
I of the elements in the coset. Although the imphcations of h being only "approximately 
constant" on the cosets of T are not explicitly analysed in [Hal02], the fraction of the 
elements on which h is constant is sufficient to allow the algorithm to succeed. 

It should also be noted that two cosets of T may overlap without being exactly equal, 
since we could have au + ^ ^ au' + with v ^ v' and u^vl. However, for fixed u and 
^ <v < NRa it is true that the cosets {T + {u,v)} are disjoint, and h is distinct and 
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approximately constant on these disjoint cosets. 

First we select the parameters for the algorithm using the following algorithm: 



Algorithm 13.23 (Parameter Selection For PIDP). 



1. 


Compute the regulator R^ using the algorithm from Section 13.2.3. 


2. 


Choose an integer m > 2i?A- 




3. 


Choose an integer b > and compute the continued fraction expansion of BRa 




to find p,q & such that 


bRA-^ 


< 1^- 


4. 


Let N = qb. 






5. 


Output {RA,m,N). 







Proposition 13.24. The output of Algorithm 13.23 satisfies \NRa - [iVi^All < j- 



Proof. We know that 



bRA 



p 
Q 

N p 

— -Ka 

q q 



< 



1 



< 



\NRa-p\ < 



Aqm 
1 

Aqm 

1 
4m 



Now since p is an integer and its distance from A^it^A is less than |, we must have 
p = [NRa] . Thus 

1 



\NRa- [NRaM < 



Am 
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as required. D 

Once the parameters have been selected, we can run the following algorithm to solve 
PIDP. 

Algorithm 13.25 (Core Of Solving PIDP). 

1. Start in the state |0) |0) |0) e EI^p (8) Hp (g) H/, where p = \_NR/y^ and / is chosen 
such that I bits are sufficient to encode any point in the range of h. 

2. Apply QFT^p ® QFTp to the first two registers. 

3. Apply to the system. 

4. Measure the third register. 

5. Apply QFT^p ® QFT^ to the first two registers. 

6. Measure the first two registers to obtain the integers If t > ^, begin the 
procedure again. 

7. Otherwise, return {s,t). 

Theorem 13.26. With probability in o{^ \og{NR£^) ) output {s,t) of Algorithm 13.25 
satisfies 

- — = at mod i?A 

mN 

for some 7^ with |7t| < \. 
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Proof Sketch. First we claim that for any integer s, there is exactly one integer t with 

< t < NR^ such that {s,t) G T. To sec this, suppose that {s,ti), {s,t2) G T, with 
< ^1, ^2 < NRa- Let Si — (as + ^) mod i?A for i — 1,2, and define the integers ki and 
/c2 such that as + ^ — £i + k^R^. Then < £i, £2 < so 

|£i — £2! < ;^ 

|as + ^ - /cii^A - as - ^ + A;2^a| < ^ 
|^ + (^2-^i)it:A|<^ 
l^i^l modi?A < ^ 
1^1 - ^2! mod A^i?A < 1 

Thus since < ii, ^2 < -^-Ra we must have ti — t2. 
We now define 

f = |(s,t) e Z X Z : < t < NRa, (as + ^) mod i?A < 

and it follows that for each s e Z, there is a unique element (s, t) e T. 

For each s e Z, we can use this unique element (s, t) to define (jg such that 
(as - mod i?A = • By the definition of T, < ctj < 1. 

Then note that for each (s, t) e T, 

a« + ^ - ^ = ^^A (13.10) 

for some integer k. 

Now note the following: 

1. t < NRa, so kRA < as + i?A, and 
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2. (T5 < 1, so as — 4 < kR\. 



Combining these two inequalities we obtain 

1 



as i < < -)- 1 
i?A NRa Ra 



Therefore, with high probabihty, k 



Ra 



Rewriting Equation (13.10) we see that 



, t as 
''+N-N 



as 

Ra 

as 

Ra 



Ra 

NRa - asN + as 



;i3.11) 



After Step 3 of Algorithm 13.25 our system is in the state 

mp— 1 p— 1 
x=0 y=Q 

When we measure the third register in Step 4, we see a value z, and we leave the first 
two registers in a superposition of all states in which z appears in the third register. 

This value of z effectively specifies an interval / of length since its first coordinate 
is an ideal, and its second coordinate specifies a distance past that ideal (rounded down 
to a multiple of ;^). The interval / will be approximately equal to the interval /(o,„) for 
some value oi v, < v < NR/^^; this approximation is also sufficient for our purposes. In 
other words, the measurement in Step 4 fixes a value v such that the first two registers 
of our system are in the state 

1 



EE 

0<x<mp 
0<y<p 
{x,y)&T+{0,v) 



\X) 
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Since we are about to apply the same Fourier sampling technique discussed in Sec- 
tion 13.2.3, we can again make use of the fact that the distributions induced by applying 
the technique to superpositions of the elements of a set X and of some coset of X are 
identical. In this case, we can therefore assume without loss of generality that v — 0, or 
in other words, that the superposition in is over the elements of T. Further, since 
< y < p, we can more precisely assume that the superposition is over the elements of 
T. Thus without loss of generahty, we can assume that 



0<.T<mp 

(.T,:y)ef 

mp— 1 



/mp 



x=Q 



ax 
Ra 



NRa - axN + a^) by Equation (13.11). 



Again we mention that this is not exactly the state of the first two registers because 
of the numerous approximations we have made along the way. However, these approx- 
imations have all been small enough so as to allow the remainder of the algorithm to 
succeed. 



Temporarily let y 



Ra 



NRa - axN + a^. Then after applying QFT^^ ® QFT^ 



in Step 5, we obtain the state 

mp— 1 mp—1 p—l 



^ iiip—i.iitij—±p—^ , x\ [ \ 

/ / / 6xp I 27riM ) exp I 27riv— ) 

mpVP ^ ^ V rnpj \ pj 

mp—l mp—1 p—l 

mp J 



u) \v) 



I .xu + yvm\ 



The probability of obtaining a particular measurement result (s, t) is therefore given 



by 



{s,t) 



mp—1 



1 ^ 

> cxp 2ni 

mpy/p \ mp 



xs + ytm 



(13.12) 
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As in [Hal02] (but in more detail) we now analyse this distribution. 

The condition on (s, t) given in the statement of the theorem is equivalent to 

s It 



mN mN 
for some integer k. Note the following: 



— at — kRA 



1- 7t < |, so -at< kRA, and 

2. 7t > — I and s < itiNRa, so Ra + 2^ — at > kRA- 

Combining these two inequalities, we obtain 

at 



Ra 2mNRA 
Therefore, with high probability, k — 

Rewriting Equation (13.13), we see that 



1 , at 

<k< -— + 1 + 



1 



2mNRA 



at 




at 


Ra 




Ra 



s _ It 
mN mN 



at — 



at 
Ra 



s = atmN 



Ra 

at 



Ra 



mNRA + Jt 



Now note that 
xs + ytm — xatmN — x 
^mNRA (t 



at 

Ra 

ax 



Ra 



mNRA + x^t + 
at 



ax 



13.13) 



;i3.i4) 



X 



Ra 



Ra 

+ xjt + tm(7x- 



NRAtm — axNtm + cr^im 



Now define A such that p — NRa + A. Since p — \_NRa'\ , by Proposition 13.24 
|A| < Then mNRA = mp — mX, and taking the above equation modulo mp, we 
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obtain 



xs + ytm = —Am ( t 



ax 
Ra 



— X 



at 
Ra 



+ x^t + tmax (mod mp) . 



Finally, define 6t and 6^ such that 



at 
Ra 



at 



— 6t and 



Ra 



^ + 5^. Then 



< < 1. Thus the above equation becomes 



xs + ytm = —Am (t— — h tS^ — x— — h xSt] + x^t + tmax (mod mp) 
V Ra Ra ) 

= —XmtSx — XmxSt + xjt + tmax (mod mp) 
= X {'jt — XmSt) + tm {ax — X5x) (mod mp) 



(13.15) 



Note that 



|7t - XmSt\ < \^t\ + \-Xm6t\ 

1 1 

2 4m 

_ 3 

~ 4' 



;i3.16) 



Also 



tm [ax — X6x 



mp 



< 



tm{l - 0) 



mp 



t 



P 
1 

< - 
n 



(13.17) 



since in Step 6 we accepted only values of t with t < ^. 

If we let a = |7t - Xm5t\ and /3(x) = then by Equation (13.16) and Equa- 

tion (13.17), respectively, the hypotheses of Proposition 13.22 are again satisfied. 
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Further, combining Equation (13.12) and Equation (13.15), we see that 



P, 



is,t) 



mp—1 



1 ^ 

> exp 2ni 

mp,/p ^ 



(7t - XmSt) + tm {a^ - X5j:) 



mp 



1jl2p3 



mp—l 
x=0 



=2-<(t^)"+/3W) 



We can therefore apply Proposition 13.22 to the above sum, and deduce that 



NRa 



Finally, we calculate the number of (s, t) that satisfy the conditions of the theorem. 
By the condition in Step 6 we know that <t < |. Using the fact that log (NRa) > n, 
we can obtain a lower bound on the number of such (s, t) by counting only those that 
satisfy 

P 



Q<t< 



;i3.i8) 



log(7Vi?A)' 

Since p = [NRa], then <t < ^^^(^^Ra) (^^PP^^ox^^'tely), and for each value of t, there 
must be at least one value of s such that (s, t) e T. Thus there are at least log'^j^a^) 
values {s,t) that satisfy the conditions of the theorem and Equation (13.18). 

The probability that the output of the algorithm satisfies the conditions of the theorem 
is therefore at least 



NRa 



log (NRa) 



(s,t) 



NRa 



log (NRa) NRa 



log (NRa) 



which is in O (^ logiNR^) ) required. 



□ 
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The remainder of the algorithm to solve PIDP is purely classical, and we do not prove 
its correctness here (see [Hal02]). The algorithm works as follows: we run Algorithm 13.25 
until we obtain ordered pairs and (52,^2) with gcd{ti,t2) — 1. By Theorem 13.26 

with high probabihty the ordered pairs satisfy = ati mod Ra for i = 1,2. We then 
use the extended Euclidean algorithm to find integers x,y such that xti + yt2 = 1, and 
compute a = ^^^^^ mod Ra- As proven in [Hal02], \a-d\ <1. 

It is acknowledged in [Hal02] that we would like to compute a to a higher accuracy, 
but no specific method to do so is described. One such method would be to consider 
the interval [a — l,a + 1], select N equally-spaced points in the interval, and perform 
a binary search among those N points, finally selecting the smallest point d for which 
A (5) = 0. Then we know that 

Therefore there exists a polynomial-time quantum algorithm to solve PIDP (that is, 
to determine the distance of a principal ideal to arbitrary precision, depending on our 
choice of N). 
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Conclusions And Future Work 



While large-scale quantum computers are not currently technologically feasible, this the- 
sis has demonstrated that if they ever become realistic, they will pose a serious threat 
to much of our secret communication. Today's most widely-used public key cryptosys- 
tems, such as the RSA cryptosystem studied in Chapter 4 and the ElGamal cryptosystem 
studied in Chapter 6, as well as the popular key establishment protocols like the Diffie- 
Hellman protocol from Chapter 12, are open to polynomial-time attacks with a quantum 
computer. 

Other less popular cryptosystems have been proposed that rely on the hardness of 
other problems, and these schemes may be candidates for systems that resist quantum 
cryptanalysis. For example, the McEliece cryptosystem described in Chapter 7 does 
not seem to fit into a framework in which it could be attacked with today's known set 
of quantum algorithms. However, such less popular schemes may suffer from a lack of 
efficiency compared to the more commonly used algorithms, and they may not have 
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received the same degree of academic scrutiny as their more estabhshed counterparts. 
However, not all of these ahernative classical schemes are quantum-resistant: for example, 
the real version of the Buchmann- Williams key establishment protocol from Chapter 13 
does not seem to suffer from classical vulnerabilities, but recent developments in quantum 
algorithm theory have exposed some quantum weaknesses. 

This thesis has also touched on cryptosystems of historical importance, even though 
such cryptosystems may no longer be feasible choices given the existence of known clas- 
sical attacks. The lattice-based schemes presented in Chapter 8 and Chapter 9 are based 
on hard problems that are fundamentally different from the standard cryptosystems in 
use today, although unlike the McEliece cryptosystem, they have been shown to have 
serious classical weaknesses. Nonetheless, they could provide a starting point for further 
investigation of lattice-based cryptography. The NTRU scheme studied in Chapter 10 is 
an example of another scheme that could resist a quantum attack if its recently discovered 
classical vulnerabilities can be overcome. 

Another new class of cryptosystems is made up of schemes that use a quantum com- 
puter to aid the parties who wish to communicate securely; the quantum scheme described 
in Chapter 11 is one concrete example of a scheme from this class. Since these cryptosys- 
tems are necessarily quite new, and since they are currently only of theoretical interest, 
they have not received much attention in the academic community. However, as attackers 
begin to include quantum computers in their arsenals, the legitimate parties to secure 
communication may be able to stay one step ahead by also using quantum computers. 

Further, while this thesis has touched on many of today's important cryptosystems, 
there are still many more that could bear further investigation in a quantum setting. 
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Examples of such cryptosystems would be newly-proposed schemes where operations are 
carried out in a braid group [AAG99, AAFGOl]. This thesis could also be extended by 
performing quantum security analyses of public key signature schemes, which attempt 
to provide authentic (as opposed to confidential) communication. Many of the cryp- 
tosystems discussed in this thesis, such as the RSA, ElGamal, and NTRU schemes, have 
associated signature schemes that are based on the hardness of similar problems. An- 
other extension would be to analyse some of the popular symmetric key cryptosystems 
in use today to see whether they might be susceptible to quantum attacks. 

This thesis has gathered together many results from several areas of mathematics and 
has presented them in a practical way. It has attempted to provide a clear presentation 
of the basics of public key cryptography (for the cryptographic beginner) and a concise 
introduction to many of the basics of quantum computation (for the quantum beginner) . 
Each cryptosystem has been presented along with enough background material to make 
its basic concepts easy to understand. In some cases, such as that of the quantum 
scheme in Chapter 11, the presentation has involved making some minor corrections and 
clarifications to ambiguities in the original papers. In other cases, such as that of the 
new quantum algorithms presented in Section 13.2.3 and Section 13.2.4, the presentation 
has also been expanded considerably to provide a more detailed and precise analysis 
geared to be more accessible to those without expertise in the field. Wherever possible, 
parallels have been drawn between similar cryptosystems, or between cryptosystems built 
on similar ideas. For many of the cryptosystems mentioned in this thesis, this may be 
the first time that the schemes have been considered in a quantum setting. 

The main goal of this thesis, however, has been to make it clear that the encryption 
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schemes in current use will not provide a high level of security in a quantum setting. 
While it would be unwise to claim that cryptosystcms that currently resist quantum 
attacks will necessarily continue to resist them, it would also be unwise to ignore the 
possibihty that large-scale quantum attacks will one day be feasible. We need to start 
investigating alternative quantum-resistant cryptosystcms now, in the event that we one 
day need to make use of them. 
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